Thanks Taylor.
On Aug 19, 6:38 pm, Taylor Singletary <[email protected]> wrote: > You're correct that as long as a web browser can access your callbacks, > everything should go smoothly. > > My best advice for applications like yours is not to distribute with keys. > By default, allow only access of resources not requiring authentication. > Provide a UI for users to enter their own application credentials and > utilize those. I use a similar model in my OAuth Dancer application > (http://bit.ly/oauth-dancer) > > You can find out more about your current options for open source and OAuth > here:http://groups.google.com/group/twitter-development-talk/msg/b1f049a6f... > > Taylor > > > > On Thu, Aug 19, 2010 at 9:18 AM, BigglesZX <[email protected]> wrote: > > Realised I may have missed the point slightly here - that callbacks > > aren't actually a problem because it's about what the *user* can > > access, not Twitter itself. So if the user can access the non-public > > server, the callbacks can point there without a problem. Right? :) > > > Supplementary question: am I going to run into issues with exposure of > > my application's secret keys/tokens as a result of it being open > > source? > > > Thanks again, > > > Biggs > > > On Aug 19, 11:19 am, BigglesZX <[email protected]> wrote: > > > Hi all, > > > > I'm currently writing a web app that interfaces with Twitter - I won't > > > bore you with the details, but suffice to say that this app is > > > designed to be installed on individual users' web servers, and uses > > > read-only access to the Twitter API to perform a few useful functions. > > > > Up until this week I was using Basic Auth, and the time has now come > > > for me to move the app over to OAuth. However, I'm a bit confused as > > > to which OAuth method would be most suitable for my app. > > > > Here are a couple of constraints: 1) The app may end up being > > > installed on a non-public-facing server, so the use of callback URLs > > > might be a bit difficult. 2) The most straightforward flow in my mind > > > would be if users could enter their username/password (or some other > > > kind of auth token) in the app's config file (which suggests using > > > xAuth to me, from a reading of the docs). > > > > The desktop Twitter clients I use seem to have no problem taking/ > > > storing a username and password and converting that into an OAuth > > > transaction. Would they be using xAuth? > > > > Basically I'm open to advice as to which OAuth method I should be > > > considering for this app. I want to make things as secure/ > > > straightforward as possible for the user while ensuring that the app > > > will work in a variety of environments (including private servers that > > > can't receive callbacks). > > > > Any thoughts or tips as to how I could achieve this would be hugely > > > appreciated. Thanks for reading, > > > > Biggs
