Is there any reason why each developer who takes the source code cant
apply for their own keys?

We did this for MyPostButler in the old version, there was a space for
each user to enter in their own consumer key/consumer secret right in
the main panel.





-----Original Message-----
[] On Behalf Of yvolk
Sent: Tuesday, May 18, 2010 4:01 AM
To: Twitter Development Talk
Subject: [twitter-dev] How do we deal with application's "Consumer
secret" in real life

I'm a member of the "AndTweet project" creating Open Source Twitter
client for Google Android  (, and
now I'm starting to implement OAuth for the AndTweet mobile
I've already registered AndTweet and got, among others, the "Consumer
key" and "Consumer secret".
According to the Twitter documentation (
auth), I should "Remember to never reveal your consumer secrets".

Please note this:
1. Our project is open, so everybody can join it and see it's source
2. As OAuth documentation states (
--- Quote start ----
However, when the Consumer is a desktop application, a mobile
application, or any other client-side software such as browser applets
(Flash, Java, Silverlight) and scripts (JavaScript), the Consumer
credentials must be included in each copy of the application. This
means the Consumer Secret (or Private Key) must be distributed with
the application, which inheritably compromises them.

This does not prevent using OAuth within such application, but it does
limit the amount of trust Service Provider can have in such public
secrets. Since the secrets cannot be trusted, Service Provider must
treat such application as unknown entities and use the Consumer
identity only for activities that do not require any level of trust,
such as collecting statistics about applications
--- Quote end ---

So, how does our development group is supposed to work with this
Can we just inject them in the source code? (In this case everybody
will know them... but as long as everybody has the Source code,
figuring out the values of the "secrets" even in compiled application
is not a problem...)
What "Consumer key" and "Consumer secret" should we use for
testing? ...

Thank you for the feedback!

Reply via email to