If every person that uses an app accesses the API with their own personal app 
credentials that would mean the app would appear to Twitter as hundreds, or 
potentially thousands, of individual applications.

One goal of application registration is to control application privileges en 
masse.  So that when malware is found it's privileges can be revoked quickly.  
Or even in the more banal case: an app doing something taxing to the API. The 
privileges could be revoked/modified until the problem was fixed and then 
reenabled -- all while the users are blissfully unaware.

If each person who uses an app registers it themselves then Twitter no longer 
has the ability to monitor the app as a whole, essentially crippling one of 
OAuth's most compelling reasons for being.


isaiah
http://twitter.com/isaiah

On Jan 18, 2010, at 9:58 AM, ryan alford wrote:

> You are reading it correct.
> 
> You do not want to give out your Consumer Key or Consumer Secret.  If 
> somebody downloads the source of your application, they are most likely going 
> to be using it in their own application.  Therefore, they need their own 
> Consumer Key and Consumer Secret.
> 
> Ryan
> 
> On Mon, Jan 18, 2010 at 12:56 PM, Isaiah <supp...@yourhead.com> wrote:
> 
> So you're saying that each individual end-user of the open source app would 
> register with Twitter for separate Twitter Application credentials, add those 
> credentials to the app, and then recompile the application?
> 
> Or did I read that incorrectly?
> 
> Isaiah
> 
> YourHead Software
> supp...@yourhead.com
> http://www.yourhead.com
> 
> 
> 
> On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote:
> 
>> that's precisely what i would do - author your code to read from a 
>> configuration file that contains the keys.  don't distribute that 
>> configuration file, but, instead, distribute a README or an example 
>> configuration file that the end user would fill in.
>> 
>> On Mon, Jan 18, 2010 at 9:43 AM, John Meyer <john.l.me...@gmail.com> wrote:
>> On 1/18/2010 1:19 AM, Ryan McCue wrote:
>> Hey guys,
>> 
>> I'm looking to integrate Twitter posting into an application I'm
>> developing. The catch to this is that because it's open source, and
>> programmed in PHP, I'd have to distribute the secret key with it.
>> 
>> What's the best way to go about this? I've fallen back onto the
>> ordinary basic auth API for now.
>> 
>> Thanks,
>> Ryan.
>> 
>> 
>> Technically, you don't.  All opensource requires is that you distribute the 
>> source code, not the individual data.  So you could specify that the secret 
>> key is in a particular file and then other users could insert their own 
>> secret key.
>> 
>> 
>> 
>> 
>> -- 
>> Raffi Krikorian
>> Twitter Platform Team
>> http://twitter.com/raffi
> 
> 

Reply via email to