"Just the consumer key, or both the consumer key and consumer secret?"
both are needed when doing OAuth. Ryan On Mon, Jan 18, 2010 at 2:52 PM, M. Edward (Ed) Borasky <zzn...@gmail.com>wrote: > On Jan 18, 11:32 am, John Meyer <john.l.me...@gmail.com> wrote: > > On 1/18/2010 12:22 PM, ryan alford wrote: > > > > > There is a difference between giving your application to others to > > > install and use, and others downloading your code for their own > > > applications. > > > > > If a user is installing your application to use, then your code would > > > include your consumer key. > > Just the consumer key, or both the consumer key and consumer secret? > > > > > > If a user is downloading your open source code to use for their own > app, > > > then they need to get their own consumer key to relate to their app. > > > > > Ryan > > > > An addendum. > > > > If you were seriously concerned about others grabbing those codes you > > could specify that the app fetches those keys from an ftp server or some > > sort of web service that you ran. But I would guess that this would be > > a bit more paranoid than what you are trying to prevent. > > The "paranoia" is directly from Twitter's "Security Best Practices" > http://apiwiki.twitter.com/Security-Best-Practices: > > "Don't store passwords. Just store OAuth tokens. Please." > > "As aforementioned, for optimal security you should be using OAuth. > But once you have a token with which to make requests on behalf of a > user, where do you put it? Ideally, in an encrypted store managed by > your operating system. On Mac OS X, this would be the Keychain. In the > GNOME desktop environment, there's the Keyring. In the KDE desktop > environment, there's KWallet." > > As an aside, 90% of the desktops/laptops out there run Windows. I'd > hope that the Security Best Practices document would include a little > more on dealing with Windows desktops than a link to the MSDN Security > Developer Center. ;-) > > I think the FTP server idea is a good one - it gives me a log file of > everyone who's obtained the consumer key and secret for Ed's Wonderful > Desktop App, so when someone fires up a debugger, runs my app, grabs > all the authentication codes and uses them to do a DOS attack on > Twitter and gets my app blacklisted, I'll have a list of people for my > attorney to call and depose. ;-) > > -- > M. Edward (Ed) Borasky > http://borasky-research.net/smart-at-znmeb > > "A mathematician is a device for turning coffee into theorems." ~ Paul > Erdős >
