Using a proxy to handle all requests is not that simple. You need both
consumer and access secrets to sign the request.

http://groups.google.co.in/group/twitter-development-talk/browse_thread/thread/a195ea9b9952e297/851d9b34ecc9126f?q=#851d9b34ecc9126f

You have to handle the burden of securely mapping user request from your
desktop app to get his access token with in the proxy.
I would rather prefer distributing them either as obfuscated or through
secure proxy (just to fetch consumer key/secret once). None of them is 100%
safe but it is slightly better than simply giving away your keys in plain
text.

On Sun, Jan 31, 2010 at 8:07 AM, ShellEx Well <5h3l...@gmail.com> wrote:

> I have considered this matter. But to use a proxy handle all request
> is not my intention... I will go to write a online version if i have
> to do that :D.
>
> What I want to know is that: in my distributed version, should I
> include the key/secret in the config file(or hardcode in source, it
> doesn't matter)?
>
> On Jan 31, 8:42 am, Josh Roesslein <jroessl...@gmail.com> wrote:
> > I suppose the only other way to make the UX good and to keep the consumer
> secret
> > absolutely hidden is to proxy all requests through a hosted server.
> > This does come as a cost
> > of having to pay for a server to perform the proxy work. But it's
> > really the only option
> > at the moment I can think of that's 100% safe.
> >
> > Josh
> >
> >
> >
> > On Sat, Jan 30, 2010 at 6:35 PM, funkatron <funkat...@gmail.com> wrote:
> > > Not to be a complete pill, but that is a terrible, terrible initial
> > > experience for the average desktop app user. There is no way I would
> > > or could reasonably ask one of my users to register an app themselves,
> > > then fill in obscure hashes.
> >
> > > The OAuth secret is simply impossible to use securely with open
> > > source, end-user-oriented applications. My only option with Spaz, when
> > > Twitter decides to take away basic auth, is to pray someone doesn't
> > > decide to steal my "secret" hash.
> >
> > > Compiling does make getting the key more difficult, but assuming that
> > > desktop apps are compiled isn't a good idea -- Spaz isn't, for
> > > example. I could obscure the code for the end user, I suppose, but
> > > doing so seems contrary to open source philosophy, and probably just
> > > presents a challenge.
> >
> > > OAuth as-is just wasn't designed for desktop apps, period. Square peg,
> > > round hole. If Twitter is insisting on it, I'd rather this was
> > > portrayed as a trade-off for increased user security, than a solvable
> > > problem -- I don't think it is.
> >
> > > On Jan 30, 2:22 pm, Raffi Krikorian <ra...@twitter.com> wrote:
> > >> what i would do is just make it clear to people who are using your
> open
> > >> source client that they need to register their downloaded application
> with
> > >> Twitter -- send them tohttp://twitter.com/apps/new, instruct them to
> fill
> > >> out the form, and build a simple "wizard" that they can cut and paste
> the
> > >> consumer token and secret into.
> >
> > >> On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com>
> wrote:
> > >> > Some project (like dabr) put key and secret in config files.
> > >> > But I think it really suck for users who want to use my client with
> > >> > OAuth. Because they have to get a pair of key/secret and do
> configure
> > >> > themselves, and the this is not convenience for users.
> >
> > >> > So I doubt that is it a good way to use OAuth in Desktop Client.
> >
> > >> > On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote:
> > >> > > the leak of a consumer secret will not result in the compromising
> of user
> > >> > > accounts (the consumer secret is needed to get user secrets, but
> to get
> > >> > user
> > >> > > secrets require the user's intervention).
> >
> > >> > > however - do not put the consumer key and secret in the source of
> your
> > >> > code
> > >> > > and distribute it.  instead, make it possible for your source to
> read the
> > >> > > consumer key and secret from a configuration, and distribute, with
> your
> > >> > > source code, a sample configuration file or a README that details
> how to
> > >> > > create one.
> >
> > >> > > hope that helps.
> >
> > >> > > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com>
> wrote:
> > >> > > > if a twitter App's Consumer key and secret were leak out, is it
> > >> > > > possible to gain a user's access token without a  user
> authentication
> > >> > > > process ?
> >
> > >> > > > I am writing a opensource desktop client and has implemented
> OAuth for
> > >> > > > it. However, I don't know is it suitable to put my key and
> secret in
> > >> > > > the source? Are there any risks if i do that?
> >
> > >> > > > Thx :)
> >
> > >> > > --
> > >> > > Raffi Krikorian
> > >> > > Twitter Platform Teamhttp://twitter.com/raffi
> >
> > >> --
> > >> Raffi Krikorian
> > >> Twitter Platform Teamhttp://twitter.com/raffi
>

Reply via email to