On Aug 17, 4:55 pm, Chris Babcock <cbabc...@kolonelpanic.org> wrote:
> Silly me. I thought someone was talking about distributing source code.
> Building an enduser distribution is somewhat to entirely different.

That's what I was getting at when I said "a desktop or mobile device
application - open source or closed". I think you're seeing the same
challenge now that many of the rest of us are. Distributing an OSS
server-side app is a cinch; as you said, you put "Go get yourself some
Twitter OAuth credentials" in the README for developers who are using
your code as the basis for their app. The hard part is distributing an
end-user ready desktop app.

OAuth's out-of-band auth flow is intended to solve this for non-
browser based applications, but I think how the developer of such an
app protects their client credentials was sort of "left as an exercise
for the reader". The trouble is, it's pretty much impossible. The
problem we were left to solve appears unsolvable.

This means someone has to go back to the drawing board. This is a
really big, fatal flaw in OAuth that's going to have to be fixed

Reply via email to