> OAuth is a web authentication protocol. It was not designed to > authenticate desktop and mobile apps, and should not be used for that.
I have to disagree. I can't think of a single protocol that allows the identification of applications without the possibility of leaking keys - if you have to use a key, it can be stolen, and if you don't have to use a key, you can't identify (or anyone can). If you use some kind of server-side proxy, you still have the same issue, because you also have to identify your application to your own server - which anyone can do, no matter how good the encryption is. Tom On Aug 9, 4:50 am, Jef Poskanzer <jef.poskan...@gmail.com> wrote: > On Aug 7, 10:52 am, "@epc" <epcoste...@gmail.com> wrote: > > > What's the approved open source solution to this problem? > > You don't have to make it a full-fledged web app as Ed Borasky says. > You can also use a server-side proxy that holds your API key&secret > and signs API calls. Of course this means all of your application's > traffic will funnel through your server instead of going direct to > twitter, which is obviously not good. > > And I'll also repeat what Julio Biason said, that this is not actually > an open source vs. closed source issue. Closed source desktop & > mobile applications also have their app key&secret built into the > app. Anyone with a debugger can extract them. > > OAuth is a web authentication protocol. It was not designed to > authenticate desktop and mobile apps, and should not be used for that.