Re: [twitter-dev] Using OAuth keys in an open source application
Y'all should look at what Facebook connect does: http://wiki.developers.facebook.com/index.php/Session_Proxy You can keep the secret on a server, and the server acts as a proxy for the agent. Naturally, this raises the question of how the server knows that the agent is legit. That said, this is 'better', not 'perfect'. With a proxy, you can implement a two-layer auth scheme, where perishable or revocable credentials are shipped with the app (not secure). such credentials can be invalidated at the proxy if there is a problem associated with them. If the credentials are okay, then the proxy does the deed on behalf of the agent. ALL this stuff, oauth included, is not likely to be used in banking security or by the military. but it is decent enough (at least right now) to prevent a set of bad things from happening, most of the time. 'better' is better than 'bad', by a long shot. On Mon, Jan 18, 2010 at 9:51 PM, Ryan McCue li...@rotorised.com wrote: John Meyer wrote: No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is. I'm aware of this, but the point is that it should actually work. This is made for end-users, not for developers to modify, and I'd rather not have everyone register separate API keys just to use it. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key.
Re: [twitter-dev] Using OAuth keys in an open source application
that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Using OAuth keys in an open source application
You are reading it correct. You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. Ryan On Mon, Jan 18, 2010 at 12:56 PM, Isaiah supp...@yourhead.com wrote: So you're saying that each individual end-user of the open source app would register with Twitter for separate Twitter Application credentials, add those credentials to the app, and then recompile the application? Or did I read that incorrectly? Isaiah YourHead Software supp...@yourhead.com http://www.yourhead.com On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.comwrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Using OAuth keys in an open source application
Something like that. Ideally, what I would do is configure the app so that if the consumerkeys (both secret and non) are not present, the user is directed to a screen to input those for themselves (with maybe a helpful link to get them in the first place). On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.com mailto:john.l.me...@gmail.com wrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
PHP as in web-based? Why wouldn't the user just login to the website? Ryan Sent from my DROID On Jan 18, 2010 10:03 PM, Ryan McCue li...@rotorised.com wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the so... Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If someb... ryan alford wrote:There is a difference between giving your application to others to install ... The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
On 1/18/2010 6:43 PM, Ryan McCue wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is.
Re: [twitter-dev] Using OAuth keys in an open source application
* Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that would mean the app would appear to Twitter as hundreds, or potentially thousands, of individual applications. One goal of application registration is to control application privileges en masse. So that when malware is found it's privileges can be revoked quickly. Or even in the more banal case: an app doing something taxing to the API. The privileges could be revoked/modified until the problem was fixed and then reenabled -- all while the users are blissfully unaware. If each person who uses an app registers it themselves then Twitter no longer has the ability to monitor the app as a whole, essentially crippling one of OAuth's most compelling reasons for being. Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Using OAuth keys in an open source application
The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Ryan Sent from my DROID On Jan 18, 2010 10:45 PM, Marc Mims marc.m...@gmail.com wrote: * Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that wou... Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Using OAuth keys in an open source application
* ryan alford ryanalford...@gmail.com [100118 20:01]: The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Point is, reverse engineering it is easy. It isn't in the query parameters, but it is required to sign the request. So, stepping into the signature code in a debugger will expose it. The consumer key pair might as well be considered public for desktop apps. Calling it secret doesn't make it secret. If the only solution to the problem is requiring each user to register their own consumer key pair, then Twitter can't shut down a malware application. Each user will appear to have a different app. That defeats the whole purpose. -Marc
Re: [twitter-dev] Using OAuth keys in an open source application
ryan alford wrote: PHP as in web-based? Why wouldn't the user just login to the website? Ryan Yes, it's open source software that users run on their own servers. It is *not* a hosted service (if it was, it'd be fine). -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is. I'm aware of this, but the point is that it should actually work. This is made for end-users, not for developers to modify, and I'd rather not have everyone register separate API keys just to use it. -- Ryan McCue http://ryanmccue.info/