Y'all should look at what Facebook connect does:


You can keep the secret on a server, and the server acts as a proxy for the
agent. Naturally, this raises the question of how the server knows that the
agent is legit. That said, this is 'better', not 'perfect'.

With a proxy, you can implement a two-layer auth scheme, where perishable or
revocable credentials are shipped with the app (not secure). such
credentials can be invalidated at the proxy if there is a problem associated
with them. If the credentials are okay, then the proxy does the deed on
behalf of the agent.

ALL this stuff, oauth included, is not likely to be used in banking security
or by the military. but it is decent enough (at least right now) to prevent
a set of bad things from happening, most of the time. 'better' is better
than 'bad', by a long shot.

On Mon, Jan 18, 2010 at 9:51 PM, Ryan McCue <li...@rotorised.com> wrote:

> John Meyer wrote:
>> No, the point I was trying to make was that you don't HAVE to distribute
>> the key.  Nothing in the open source license requires you to give that
>> information to another person.  You can distribute it if you want to, but
>> you are perfectly free to give them the source code and tell them that if
>> they want it to work they need to go get their own consumer keypair.  In
>> short, once you are done unit testing the product you can delete out those
>> variables and tell them where to fill in their own information.  Nothing in
>> the open source license requires you to give that information anymore than
>> it requires you to publicize what the root password on your mysql database
>> server is.
> I'm aware of this, but the point is that it should actually work. This is
> made for end-users, not for developers to modify, and I'd rather not have
> everyone register separate API keys just to use it.
> --
> Ryan McCue
> <http://ryanmccue.info/>

Reply via email to