Not to be a complete pill, but that is a terrible, terrible initial
experience for the average desktop app user. There is no way I would
or could reasonably ask one of my users to register an app themselves,
then fill in obscure hashes.
The OAuth secret is simply impossible to use securely with open
source, end-user-oriented applications. My only option with Spaz, when
Twitter decides to take away basic auth, is to pray someone doesn't
decide to steal my "secret" hash.
Compiling does make getting the key more difficult, but assuming that
desktop apps are compiled isn't a good idea -- Spaz isn't, for
example. I could obscure the code for the end user, I suppose, but
doing so seems contrary to open source philosophy, and probably just
presents a challenge.
OAuth as-is just wasn't designed for desktop apps, period. Square peg,
round hole. If Twitter is insisting on it, I'd rather this was
portrayed as a trade-off for increased user security, than a solvable
problem -- I don't think it is.
On Jan 30, 2:22 pm, Raffi Krikorian <ra...@twitter.com> wrote:
> what i would do is just make it clear to people who are using your open
> source client that they need to register their downloaded application with
> Twitter -- send them tohttp://twitter.com/apps/new, instruct them to fill
> out the form, and build a simple "wizard" that they can cut and paste the
> consumer token and secret into.
> On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com> wrote:
> > Some project (like dabr) put key and secret in config files.
> > But I think it really suck for users who want to use my client with
> > OAuth. Because they have to get a pair of key/secret and do configure
> > themselves, and the this is not convenience for users.
> > So I doubt that is it a good way to use OAuth in Desktop Client.
> > On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote:
> > > the leak of a consumer secret will not result in the compromising of user
> > > accounts (the consumer secret is needed to get user secrets, but to get
> > user
> > > secrets require the user's intervention).
> > > however - do not put the consumer key and secret in the source of your
> > code
> > > and distribute it. instead, make it possible for your source to read the
> > > consumer key and secret from a configuration, and distribute, with your
> > > source code, a sample configuration file or a README that details how to
> > > create one.
> > > hope that helps.
> > > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> wrote:
> > > > if a twitter App's Consumer key and secret were leak out, is it
> > > > possible to gain a user's access token without a user authentication
> > > > process ?
> > > > I am writing a opensource desktop client and has implemented OAuth for
> > > > it. However, I don't know is it suitable to put my key and secret in
> > > > the source? Are there any risks if i do that?
> > > > Thx :)
> > > --
> > > Raffi Krikorian
> > > Twitter Platform Teamhttp://twitter.com/raffi
> Raffi Krikorian
> Twitter Platform Teamhttp://twitter.com/raffi