Ryan,

By credentials, I meant the OAuth tokens, consumer keys, etc.

Wouldn't they be visible to the browser/desktop-client? And hence, couldn't
they be copied and reused by somebody so determined?

Personally, I think the chance of this kind of attack would be rare and
limited. I just wanted to know if this is a tolerable risk to take and one
that won't cause my application to be blocked.

thanks,
Harshad

On Sat, Nov 7, 2009 at 7:00 PM, ryan alford <ryanalford...@gmail.com> wrote:

> There are no app-specific servers.  With OAuth, instead of passing user
> credentials, you use YOUR consumer key and consumer secret which identifies
> your application.
>
> You get an access token after the user has allowed your application to have
> access to their account.  You will then use that access token, your consumer
> secret, and your consumer key to make the requests to the API.
>
> Ryan
>
>
> On Sat, Nov 7, 2009 at 8:13 AM, Harshad RJ <harshad...@gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to wrap my mind around OAuth, and I am not sure I understand
>> the subtleties.
>>
>> Is it possible to make OAuth authenticated requests from browser *
>> directly* to the Twitter API? Is it a safe & recommended way?
>>
>> Or do all API requests have to go through an application-specific server,
>> to keep the credentials a secret?
>>
>> My hunch is that yes, an app-specific server would be required. But in
>> that case, how do desktop-clients manage it? Or do they also route the calls
>> through an intermediary?
>>
>> thanks in advance,
>> --
>> Harshad RJ
>> http://hrj.wikidot.com
>>
>
>


-- 
Harshad RJ
http://hrj.wikidot.com

Reply via email to