Why not check for the presence of the keys on start-up, if they are missing 
re-direct the user (open a browser window) to the new apps page and/or a 
step-by-step guide on you site. then store the keys as normal

Sent using BlackBerry® from Orange

-----Original Message-----
From: Raffi Krikorian <ra...@twitter.com>
Date: Sat, 30 Jan 2010 11:22:13 
To: twitter-development-talk<twitter-development-talk@googlegroups.com>
Subject: Re: [twitter-dev] Re: a security problem puzzled me about using oauth 
        in Desktop Client

what i would do is just make it clear to people who are using your open
source client that they need to register their downloaded application with
Twitter -- send them to http://twitter.com/apps/new, instruct them to fill
out the form, and build a simple "wizard" that they can cut and paste the
consumer token and secret into.

On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com> wrote:

> Some project (like dabr) put key and secret in config files.
> But I think it really suck for users who want to use my client with
> OAuth. Because they have to get a pair of key/secret and do configure
> themselves, and the this is not convenience for users.
> So I doubt that is it a good way to use OAuth in Desktop Client.
> On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote:
> > the leak of a consumer secret will not result in the compromising of user
> > accounts (the consumer secret is needed to get user secrets, but to get
> user
> > secrets require the user's intervention).
> >
> > however - do not put the consumer key and secret in the source of your
> code
> > and distribute it.  instead, make it possible for your source to read the
> > consumer key and secret from a configuration, and distribute, with your
> > source code, a sample configuration file or a README that details how to
> > create one.
> >
> > hope that helps.
> >
> > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> wrote:
> > > if a twitter App's Consumer key and secret were leak out, is it
> > > possible to gain a user's access token without a  user authentication
> > > process ?
> >
> > > I am writing a opensource desktop client and has implemented OAuth for
> > > it. However, I don't know is it suitable to put my key and secret in
> > > the source? Are there any risks if i do that?
> >
> > > Thx :)
> >
> > --
> > Raffi Krikorian
> > Twitter Platform Teamhttp://twitter.com/raffi

Raffi Krikorian
Twitter Platform Team

Reply via email to