OAuth is a web authentication protocol. It was not designed to
authenticate desktop and mobile apps, and should not be used for that.
I have to disagree. I can't think of a single protocol that allows the
identification of applications without the possibility of leaking keys
- if you have to
On Aug 9, 7:44 am, Tom allerleiga...@gmail.com wrote:
If you use some kind of server-side proxy, you still have the same
issue, because you also have to identify your application to your own
server - which anyone can do, no matter how good the encryption is.
Yes, anyone who uses your
And anyone who manages to find out how your client-server connection
works, can act as if they are using your application - exactly the
same issue as the one which Twitter currently has, except that it may
be a bit easier or harder, depending on the used protocol.
Tom
On Aug 9, 6:50 pm, Jef
Quoting Jef Poskanzer jef.poskan...@gmail.com:
On Aug 9, 10:48 am, Tom allerleiga...@gmail.com wrote:
exactly the same issue as the one which Twitter currently has
No.
A malfeasor who gets your app key can make any API call pretending to
be you, from any IP address, logged in as any user.
On Mon, Aug 9, 2010 at 10:46 PM, M. Edward (Ed) Borasky
zn...@borasky-research.net wrote:
why not simply build as much of the functionality into
the server as possible and make a browser-based app right from the start?
'Cause that's not what I want. If I wanted a browser based app, I'd
write
I have to admit that you've got a very good point there. However,
don't forget that any twitter account can create new API keys, without
any kind of review process ;-)
The problem is very simple: Twitter needs something to identify the
application, and this identification must be sent by the
On Aug 7, 10:52 am, @epc epcoste...@gmail.com wrote:
What's the approved open source solution to this problem?
You don't have to make it a full-fledged web app as Ed Borasky says.
You can also use a server-side proxy that holds your API keysecret
and signs API calls. Of course this means all of
On Aug 6, 2:45 pm, Julio Biason julio.bia...@gmail.com wrote:
I may sound pissed and I am: Twitter was build on top of open source
apps (like Rails and now Cassandra) and basically you guys are
slapping every other open source application that use your APIs in the
face.
What's the approved
Deploy your application as a server-based web application. It's not
like that's difficult with frameworks like Rails, Django, CodeIgniter,
...
--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb
A mathematician is a device for turning coffee into theorems. - Paul
On Sat, Aug 7, 2010 at 3:17 PM, M. Edward (Ed) Borasky
zn...@borasky-research.net wrote:
Deploy your application as a server-based web application. It's not like
that's difficult with frameworks like Rails, Django, CodeIgniter, ...
And what if I have a desktop application? Should I just screw
Can't you open source everything *except* a module that deals with
oAuth? Like a proprietary codec or proprietary wireless driver?
--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb
A mathematician is a device for turning coffee into theorems. - Paul Erdos
Quoting
twitter did this for 1 reason and only 1 reason,, sucks i know but
they did this because of all the desktop and net applications
that are mass sending messages,, parsing, you name it,, now they have
controll to kill the key,,
i think its a horrable solution because now all the developers will do
Taylor -
thanks for the response. it is good to hear it from the horse's mouth.
unfortunately, distributing the app without keys/secrets and asking
each user to register their own set of keys is not feasible for my
app. in lieu of a better solution, i will have to remove Twitter
integration for
On Thu, Aug 5, 2010 at 8:41 PM, Taylor Singletary
taylorsinglet...@twitter.com wrote:
We know this isn't ideal.
No, it's not ideal: It's far far FAR from it.
But we're supporting OAuth 1.0a right now, and for the safety of our users,
for the ecosystem, and for you: please don't distribute API
i have seen it stated a few times that this solution is still being
evaluated and it sounds like it might not see the light of day (which
is fine by me - it seemed kind of convoluted to begin with).
however, the oAuth deadline is fast approaching - what options do open
source apps have in order
Hi Everyone,
The key exchange solution will not be ready for the cut
off, unfortunately.
If you want to distribute an open source application or library, it should
either:
- consume only public resources not requiring authentication
- be distributed without consumer keys and secrets.
If
16 matches
Mail list logo