[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Well, as a testimony to this less than elegant solution (IMHO), I have rolled out my app (a PHP add-on for a popular CMS) with the the customer_key and customer_secret fields blank in a settings type control panel (db storage). I was very clear to provide a thorough walk through of the dev.twitter.com application registration process for my user-base. The walk through takes the site admin all the way through initial installation, app registration, twitter account authentication and sending their first tweet using the app. So, far I have had very few questions as to how to set up the app using the new system. And I have had no complaints. Hurray! On Aug 31, 2:08 am, Ken wrote: > oops. really, I had thought this through but got carried away with the > 'transparent installation' idea. > > During the installation, the user would authenticate (via the software > provider or directly with twitter?) - and then be delivered the > credentials. Sorry. > > On Aug 31, 10:58 am, Ken wrote: > > > > > It seems that we are talking about two categories of applications. > > > 1.) As in the subject of this thread, open-source CMS or other multi- > > user, membership or blogging systems. This type of system usually has > > some facility for the admin user/webmaster to change settings such as > > admin email address, error messages, API keys, etc. It makes sense for > > each deployment of such a system/module to be registered as a Twitter > > application (even if it is not an "original" unique application) if > > only because that way, the source or "via" tag would be a link back to > > the individual deployment and not to the original developers of the > > software. In these cases the person installing the system can probably > > be counted on to have the ability and willingness to go to twitter.com > > and register an app, following the instructions provided by the > > software developers (you guys). > > > 2.) Single-user server or open-source desktop app. I don't know all > > the details of Xauth, but it seems to involve some manual effort by > > Twitter. So apologies up front if the following already exists, has > > been rejected, or doesn't make sense: If the single-user server or > > open-source desktop app has been approved by Twitter, why not build in > > to the app a call to the Twitter API that would create and install the > > needed credentials? The callback url would be defined by the app, the > > other properties could be taken from the details proved by the user at > > install time. This could even be executed transparently during the > > installation. This new API endpoint would return something like what > > we now get using "My Access Token." > > > Ken > > > On Aug 31, 2:30 am, John SJ Anderson wrote: > > > > > I think it's far better developer/business practice to design > > > > *proprietary* applications that are secure and register them with > > > > Twitter > > > > using xAuth. > > > > As has been said time and time again, "proprietary" is not a solution > > > for this, as any non-hosted app using OAuth can have the keys > > > extracted from it. > > > > Additionally, some of us would like to write Free or Open Source > > > applications, that people can use on their own machines, without > > > requiring them to register as Twitter developers. It used to be > > > possible to do this. > > > > j. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
I think the issue is really that it is not a very elegant solution and is outside the realm of a standard non-technical persons experience. The whole idea of having the end-user register a pre-built app as their own is cumbersome. That said it is the only real solution to the dilemma. It is the solution that I have chosen for my own apps. On Aug 18, 4:22 am, Ken wrote: > I am new to this thread having seen it over the past few weeks and > wondered what all the fuss was about. > > The solution by MindcrimeNL above seems optimal, why is it a > workaround? > > Do developers not really want their users to register their own > Twitter app? It's not exactly hard to do. You just need to tell them > what to put for the callback URL... > > For opensource systems targeted at non-technical users, don't you > provide a 'control panel' where the admin user can edit their > preferences such as webmaster's email etc? Just like inserting your > Google maps API key, Adsense id, Amazon associates id, etc. > > For applications with a more technical installation, you'd just have > them edit a config file. > > On Aug 18, 11:34 am, MindcrimeNL wrote: > > > > > Still no > > solution:http://groups.google.com/group/twitter-development-talk/msg/58b4b54d4... > > After that initial message, it is apparently still not available... > > > I've released my module by explaining in the readme how webmasters can > > add their own application and obtain the consumer public and secret > > key for their application and giving them an option to enter them in > > the module. > > I'm not really happy about this workaround... It just sucks... > > > On Aug 1, 2:19 am, Michael Babcock wrote: > > > > Sorry for the confusion. I mean web application developers. There are > > > quit a number ofopen-sourceweb apps for twitter. Besides standalone > > > apps, there are also, add-ons for all the various CMS solutions out > > > there, written in PHP, Perl, etc. > > > > On Jul 27, 2:02 pm, "M. Edward (Ed) Borasky" > > > research.net> wrote: > > > > There are plenty ofopensource*library* developers, and plenty of > > > > applications that useopensourcelibraries, but not all that many > > > >opensourcefull applications. The only ones I can think of at the > > > > moment are Gwibber (Gnome), Choqok (KDE), mine (Social Media Analytics > > > > Research Toolkit), Spaz, get2gnow, and ttytter. IMHO Choqok and > > > > Gwibber are lame - I use CoTweet or Twitter.com on my desktop and > > > > mobile.twitter.com, Twitter, Twidroid, Seesmic, Touiteur and Peep on > > > > my HTC Verizon Droid Incredible. > > > > > The Twitter piece of Social Media Analytics Research Toolkit is at the > > > > moment read only, and as I noted earlier the main reason I even looked > > > > at oAuth was to get the 1500 (read) API calls per hour. Given the > > > > small number of users I have at the moment, it wouldn't be all that > > > > difficult to "upgrade" them to oAuth and 350 calls per hour one at a > > > > time by hand - all that would be required is to license that piece of > > > > code separately. ;-) > > > > -- > > > > M. Edward (Ed) > > > > Boraskyhttp://borasky-research.nethttp://twitter.com/znmeb > > > > > "A mathematician is a device for turning coffee into theorems." - Paul > > > > Erdos > > > > > Quoting Michael Babcock : > > > > > > Correct me if I am wrong, but doesn't Twitter risk loosing a large > > > > > percentage of their third partyopen-sourcedevelopers, by not having > > > > > a solid solution for the required OAuth security changes in time for > > > > > the deadline? > > > > > > I can only guess, but, I would think that theopen-sourcesegment > > > > > would count for quite a large number of independent developers, all > > > > > eager to build for and promote the Twitter vision. > > > > > > Michael > > > > > > On Jul 27, 8:59 am, Taylor Singletary > > > > > wrote: > > > > >> Hi Folks, > > > > > >> There are a few hold ups to rolling this out more widely, the most > > > > >> pressing > > > > >> being that we are currently unable to serve SSL content on > > > > >> dev.twitter.com-- there are also better solutions than this > > > > >> rudimentar
[twitter-dev] Re: Open-source, distributed PHP app and consumer secret
Hi Tom,
Thanks for the thoughts. I like your second solution. To host a tweet
service on my site ("You can use your own server as a service which
sends all requests to twitter. "). I spoke with a colleague of mine
and his advice was the same. My question (concern) is doesn't this
open me up as a potential target for would-be-do-badders and create an
additional layer of potential security issues?
Michael
On Aug 1, 1:21 pm, Tom wrote:
> I've thought about this a lot myself as well, and haven't really came
> up with a proper solution either.
>
> - You can try encoding all of your code with zend encoder and hope
> that nobody decodes it.
> - You can use your own server as a service which sends all requests to
> twitter. (This would be my solution)
> - You can simply not care at all about the keys - after all, there is
> (imo) no real threat in exposing them to customers.
> - You can let them use the new Twitter extension for open source
> twitter clients - although I am not sure whether it's ready yet.
>
> Tom
>
> On Aug 1, 1:49 am, Michael Babcock wrote:
>
> > So, I think the solution has to be that the user downloads my app,
> > installs it on their site, then registers my app as their own app with
> > dev.twitter. After which, they will receive their own key & secret
> > pair. They will then input their key & secret pair into my app which
> > is living on their site, stored in some configuration file or database
> > settings table.
>
> > This way I don't distribute my secret. They will have to store their
> > own key & secret pair, but this wouldn't be different than a site with
> > its own proprietary solution. The only stick point is that I will not
> > get any branding rights on their posts/tweets, as they will have
> > registered the app as their own and will be in control of the post
> > branding.
>
> > The other option is to host a tweet service somewhere in the cloud. My
> > app, installed on their site, would point to the service and they
> > would have to grant permission to the service to make the tweets to
> > their accounts. I like this second solution because it seems cleaner
> > for the end user to set up and get running. However, this would mean
> > that I would then be responsible for maintaining a service. And
> > frankly, that sounds like a drag on resources.
>
> > These two are the best solutions I can figure given the circumstances.
> > Normally, I would wait for Twitter to get this sorted, however, I
> > don't want to risk disappointing my user base when the August 16th
> > deadline rolls around.
>
> > Does these solutions sound viable or am I all wet?
>
> > Pros, cons, alternatives?
>
> > Thx.
>
> > On Jul 27, 7:18 am, Decklin Foster wrote:
>
> > > Excerpts from Michael Babcock's message of Mon Jul 26 19:28:15 -0400 2010:
>
> > > > So, I after spending the day looking through documentation,
> > > > developer's discussion and testing various OAuth code bits, it is my
> > > > understanding that there is no secure OAuth solution for open-source
> > > > PHP developers. But, the August 16th deadline is still looming.
>
> > > I am also concerned about this. Here is the response I got from support:
>
> > > "we're continuing to experiment with this feature, and have not made it
> > > available further. I apologize for the delay and inconvenience, but keep
> > > an eye on our developer talk group for future announcements."
>
> > > I have been watching this list for about a month (prior to checking with
> > > support) in case the feature is discussed here before being announced.
> > > @twitterapi, could we get some clarification on whether or not something
> > > will be ready before the August 16 deadline?
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Sorry for the confusion. I mean web application developers. There are quit a number of open-source web apps for twitter. Besides standalone apps, there are also, add-ons for all the various CMS solutions out there, written in PHP, Perl, etc. On Jul 27, 2:02 pm, "M. Edward (Ed) Borasky" wrote: > There are plenty of open source *library* developers, and plenty of > applications that use open source libraries, but not all that many > open source full applications. The only ones I can think of at the > moment are Gwibber (Gnome), Choqok (KDE), mine (Social Media Analytics > Research Toolkit), Spaz, get2gnow, and ttytter. IMHO Choqok and > Gwibber are lame - I use CoTweet or Twitter.com on my desktop and > mobile.twitter.com, Twitter, Twidroid, Seesmic, Touiteur and Peep on > my HTC Verizon Droid Incredible. > > The Twitter piece of Social Media Analytics Research Toolkit is at the > moment read only, and as I noted earlier the main reason I even looked > at oAuth was to get the 1500 (read) API calls per hour. Given the > small number of users I have at the moment, it wouldn't be all that > difficult to "upgrade" them to oAuth and 350 calls per hour one at a > time by hand - all that would be required is to license that piece of > code separately. ;-) > -- > M. Edward (Ed) Boraskyhttp://borasky-research.nethttp://twitter.com/znmeb > > "A mathematician is a device for turning coffee into theorems." - Paul Erdos > > Quoting Michael Babcock : > > > Correct me if I am wrong, but doesn't Twitter risk loosing a large > > percentage of their third party open-source developers, by not having > > a solid solution for the required OAuth security changes in time for > > the deadline? > > > I can only guess, but, I would think that the open-source segment > > would count for quite a large number of independent developers, all > > eager to build for and promote the Twitter vision. > > > Michael > > > On Jul 27, 8:59 am, Taylor Singletary > > wrote: > >> Hi Folks, > > >> There are a few hold ups to rolling this out more widely, the most pressing > >> being that we are currently unable to serve SSL content on > >> dev.twitter.com-- there are also better solutions than this > >> rudimentary one that we simply > >> can't implement yet. We're also concerned with releasing (and supporting) a > >> solution widely that we'll soon want to deprecate. > > >> Taylor > > >> On Tue, Jul 27, 2010 at 8:53 AM, Cameron Kaiser > >> wrote: > > >> > > I have the same question. I need to add Twitter OAuth to my widely > >> > > distributed PHP based open-source CMS add-on. All the documentation > >> > > says never ever distribute your consumer secret, which I understand > >> > > why this would be a bad idea. Yet all of the documentation/examples I > >> > > have found require that the consumer secret be hard-coded into the > >> > > source. > > >> > > The closes thing I have found, that doesn't require the consumer > >> > > secret embedded in the source, is a description of how it might work, > > >> >http://groups.google.com/group/twitter-development-talk/browse_thread... > >> > > But, I cannot find any docs/examples where this scenario has actually > >> > > been implemented. > > >> > It does exist. While I can't speak for Twitter and whatever > >> internal issues > >> > are slowing up its rollout, TTYtter has been a test bed for the key > >> > exchange > >> > for some time now. Most of the users have found the process painless. You > >> > can > >> > see how a sample workflow works in the documentation, or try it yourself. > >> > The > >> > app itself is open Perl. > > >> > http://www.floodgap.com/software/ttytter/ > > >> > I'm sure Taylor will comment on what will be happening to roll it out to > >> > more > >> > potential consumers. > > >> > -- > >> > personal: > >> >http://www.cameronkaiser.com/-- > >> > Cameron Kaiser * Floodgap Systems *www.floodgap.com* > >> > ckai...@floodgap.com > >> > -- People are weird. -- Law & Order SVU > >> > ---
[twitter-dev] Re: Open-source, distributed PHP app and consumer secret
So, I think the solution has to be that the user downloads my app, installs it on their site, then registers my app as their own app with dev.twitter. After which, they will receive their own key & secret pair. They will then input their key & secret pair into my app which is living on their site, stored in some configuration file or database settings table. This way I don't distribute my secret. They will have to store their own key & secret pair, but this wouldn't be different than a site with its own proprietary solution. The only stick point is that I will not get any branding rights on their posts/tweets, as they will have registered the app as their own and will be in control of the post branding. The other option is to host a tweet service somewhere in the cloud. My app, installed on their site, would point to the service and they would have to grant permission to the service to make the tweets to their accounts. I like this second solution because it seems cleaner for the end user to set up and get running. However, this would mean that I would then be responsible for maintaining a service. And frankly, that sounds like a drag on resources. These two are the best solutions I can figure given the circumstances. Normally, I would wait for Twitter to get this sorted, however, I don't want to risk disappointing my user base when the August 16th deadline rolls around. Does these solutions sound viable or am I all wet? Pros, cons, alternatives? Thx. On Jul 27, 7:18 am, Decklin Foster wrote: > Excerpts from Michael Babcock's message of Mon Jul 26 19:28:15 -0400 2010: > > > So, I after spending the day looking through documentation, > > developer's discussion and testing various OAuth code bits, it is my > > understanding that there is no secure OAuth solution for open-source > > PHP developers. But, the August 16th deadline is still looming. > > I am also concerned about this. Here is the response I got from support: > > "we're continuing to experiment with this feature, and have not made it > available further. I apologize for the delay and inconvenience, but keep > an eye on our developer talk group for future announcements." > > I have been watching this list for about a month (prior to checking with > support) in case the feature is discussed here before being announced. > @twitterapi, could we get some clarification on whether or not something > will be ready before the August 16 deadline?
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
Correct me if I am wrong, but doesn't Twitter risk loosing a large percentage of their third party open-source developers, by not having a solid solution for the required OAuth security changes in time for the deadline? I can only guess, but, I would think that the open-source segment would count for quite a large number of independent developers, all eager to build for and promote the Twitter vision. Michael On Jul 27, 8:59 am, Taylor Singletary wrote: > Hi Folks, > > There are a few hold ups to rolling this out more widely, the most pressing > being that we are currently unable to serve SSL content on > dev.twitter.com-- there are also better solutions than this > rudimentary one that we simply > can't implement yet. We're also concerned with releasing (and supporting) a > solution widely that we'll soon want to deprecate. > > Taylor > > On Tue, Jul 27, 2010 at 8:53 AM, Cameron Kaiser wrote: > > > > > > I have the same question. I need to add Twitter OAuth to my widely > > > distributed PHP based open-source CMS add-on. All the documentation > > > says never ever distribute your consumer secret, which I understand > > > why this would be a bad idea. Yet all of the documentation/examples I > > > have found require that the consumer secret be hard-coded into the > > > source. > > > > The closes thing I have found, that doesn't require the consumer > > > secret embedded in the source, is a description of how it might work, > > >http://groups.google.com/group/twitter-development-talk/browse_thread... > > > But, I cannot find any docs/examples where this scenario has actually > > > been implemented. > > > It does exist. While I can't speak for Twitter and whatever internal issues > > are slowing up its rollout, TTYtter has been a test bed for the key > > exchange > > for some time now. Most of the users have found the process painless. You > > can > > see how a sample workflow works in the documentation, or try it yourself. > > The > > app itself is open Perl. > > > http://www.floodgap.com/software/ttytter/ > > > I'm sure Taylor will comment on what will be happening to roll it out to > > more > > potential consumers. > > > -- > > personal: > >http://www.cameronkaiser.com/-- > > Cameron Kaiser * Floodgap Systems *www.floodgap.com* > > ckai...@floodgap.com > > -- People are weird. -- Law & Order SVU > > ---
[twitter-dev] Open-source, distributed PHP app and consumer secret
So, I after spending the day looking through documentation, developer's discussion and testing various OAuth code bits, it is my understanding that there is no secure OAuth solution for open-source PHP developers. But, the August 16th deadline is still looming. And I have to be able to integrate, test, and distribute my app; with enough time left over for my user base to upgrade their sites with the new OAuth version. So, my intention then is to integrate my app with the well documented PHP solutions for integration, which all use the consumer key and secret openly in the source code. This means that anyone who would like my app's consumer secret (or would like to build an app that masquerades as my app) will be able to download my app read through the source code and easily copy and paste the consumer secret out of the source code. This doesn't seem very secure or secret to me. Am I missing something??
[twitter-dev] Re: Open Source CMS Module and Consumer Secret
I have the same question. I need to add Twitter OAuth to my widely distributed PHP based open-source CMS add-on. All the documentation says never ever distribute your consumer secret, which I understand why this would be a bad idea. Yet all of the documentation/examples I have found require that the consumer secret be hard-coded into the source. The closes thing I have found, that doesn't require the consumer secret embedded in the source, is a description of how it might work, http://groups.google.com/group/twitter-development-talk/browse_thread/thread/c18ade9d86c8b239 But, I cannot find any docs/examples where this scenario has actually been implemented. On Jul 23, 6:06 am, MindcrimeNL wrote: > I'm sorry if this has been asked before: > > I've written a twitter module for ClanSphere Clan CMS and I'm now > converting it to use OAuth. > I finally got it working, but I have question about theConsumerSecret. > > I registered the application under my twitter account and obtained > aConsumerKey andConsumerSecret. > > The module is (will be) publicly available for download and webmasters > just have to install the module in their own ClanSphere Clan CMS to be > able to use it and make it possible for all users on their website to > post tweets via that module. > > But, to prevent the hassle of all these webmasters, so that they not > need to register an application on their own and install their ownConsumerKey > andConsumerSecret. How do I make it possible that every > can make use of my registered application? As I understand from the > name, theConsumerSecretis "secret", so I should not distribute it > to the community... > > Every user should (as access tokens currently don't expire) only need > to allow my application only once, in order to be able to use the > twitter module: > "An application would like to connect to your account > The application ClanSphere Module by Mindcrime, Geh aB Clan would like > the ability to access and update your data on Twitter. Not using > Twitter? Sign up and Join the Conversation! > > ALLOW | DENY" > > Sorry, but a lot of the webmasters, using CMS systems, don't know > anything about code/PHPand are just capable of uploading some > files... I would not like to think that I have to explain to them how > to register the application in Twitter and change the code in the > correct place... > > How can anyone make a public module that way? > > Thanks for the help...
