You're right in theory that requests after the initial authentication
step should not really need the app's credentials, a single
authentication token & secret ought to suffice and the service
(twitter) should remember which app each token came from.  But shrug,
that's just not the way OAuth works.  It's not twitter's fault, they
are just following the spec.  I can't even say it's particularly
unreasoinable - flickr's similar three-party authentication protocol
is much simpler than OAuth but it still uses the app key on every
request.

As for embedding the app secret in desktop and mobile executables and
trusting that it will be just too difficult for miscreants to extract,
I say don't do it.  The OAuth RFC says so too.  Keeping the secret in
a server-side proxy is probably the best solution.

Reply via email to