On Wed, 2 Jun 2010 07:06:54 -0700 Taylor Singletary <[email protected]> wrote:
> You can either go ahead and implement the flow, protect it in your > application such that only you have access to it, and then persist the > access token you receive until the end of time (or whenever you > decide to expire it, just like any other OAuth-enabled application). How does an application expire an access token? There doesn't seem to be anything in the API about that. The application can of course decide not to use an access token any more, but that doesn't mean the token is expired. The application/user combination can get a new access token. Does that expire the old token? But suppose the application is finished doing some work, and doesn't want the access token to work any longer. It would be nice to explicitly say to twitter "don't accept this token you gave me any longer". Or even "don't accept ANY token for this application/user pair until re-authorized". This would protect against stealing of access tokens and consumer keys. For practical purposes, for standalone desktop applications, the consumer key and secret are impossible to protect. Cloning an application is thus very easy. If an intruder can then also capture an authorization token, they can post fake tweets and get the user in trouble. Or get the application blacklisted, or both. Being able to actively expire an authorization token would help protect against this. Be safe, Bernd -- Bernd Stramm <[email protected]>
