Thanks Jonathan, I fully agree with the article except on the fact that OAuth2.0 will solve all problems, OAuth2.0 is simpler (less weird options) so will solve problems with application bugs, but I fear that problems with the flow (such as phishing) could persist.
Aside from twitter's own problems the goal of web2py's oauth1.0a implementation is to stick as much to the RFC, not twitter's. Please remember that a *web2py application package distribution must not contain secrets of any sort!*. Since web2py is not a "desktop" application there is *no need to distribute secrets* to third parties. I think that web2py allowed to make a very simple implementation, so bugs should be kept to a minimum, and code is less than 400 lines, so anyone can read it and find errors. tnx mic 2010/9/11 Jonathan Lundell <[email protected]>: > Folks playing with Twitter OAuth might care to read this: > http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong.ars/ > >
