Not to be a complete pill, but that is a terrible, terrible initial experience for the average desktop app user. There is no way I would or could reasonably ask one of my users to register an app themselves, then fill in obscure hashes.
The OAuth secret is simply impossible to use securely with open source, end-user-oriented applications. My only option with Spaz, when Twitter decides to take away basic auth, is to pray someone doesn't decide to steal my "secret" hash. Compiling does make getting the key more difficult, but assuming that desktop apps are compiled isn't a good idea -- Spaz isn't, for example. I could obscure the code for the end user, I suppose, but doing so seems contrary to open source philosophy, and probably just presents a challenge. OAuth as-is just wasn't designed for desktop apps, period. Square peg, round hole. If Twitter is insisting on it, I'd rather this was portrayed as a trade-off for increased user security, than a solvable problem -- I don't think it is. On Jan 30, 2:22 pm, Raffi Krikorian <ra...@twitter.com> wrote: > what i would do is just make it clear to people who are using your open > source client that they need to register their downloaded application with > Twitter -- send them tohttp://twitter.com/apps/new, instruct them to fill > out the form, and build a simple "wizard" that they can cut and paste the > consumer token and secret into. > > > > > > On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com> wrote: > > Some project (like dabr) put key and secret in config files. > > But I think it really suck for users who want to use my client with > > OAuth. Because they have to get a pair of key/secret and do configure > > themselves, and the this is not convenience for users. > > > So I doubt that is it a good way to use OAuth in Desktop Client. > > > On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote: > > > the leak of a consumer secret will not result in the compromising of user > > > accounts (the consumer secret is needed to get user secrets, but to get > > user > > > secrets require the user's intervention). > > > > however - do not put the consumer key and secret in the source of your > > code > > > and distribute it. instead, make it possible for your source to read the > > > consumer key and secret from a configuration, and distribute, with your > > > source code, a sample configuration file or a README that details how to > > > create one. > > > > hope that helps. > > > > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> wrote: > > > > if a twitter App's Consumer key and secret were leak out, is it > > > > possible to gain a user's access token without a user authentication > > > > process ? > > > > > I am writing a opensource desktop client and has implemented OAuth for > > > > it. However, I don't know is it suitable to put my key and secret in > > > > the source? Are there any risks if i do that? > > > > > Thx :) > > > > -- > > > Raffi Krikorian > > > Twitter Platform Teamhttp://twitter.com/raffi > > -- > Raffi Krikorian > Twitter Platform Teamhttp://twitter.com/raffi
