Comments inline:
On Apr 7, 2009, at 10:24 PM, redwall_hp wrote:
I'm planning out a WordPress plugin that will make use of the Twitter API (which I have experience with). I'd like to avoid using basic HTTP authentication if I can, in favor of OAuth. I've been doing some reading on OAuth, and I think I get the general idea, though I haven't tried any experiments with it yet. I'm left wondering about a few things though. 1. As I'm developing a WordPress plugin, many different people will be using it on many different servers. How do I handle application registration with Twitter? Do I register an application under the name of the plugin, and then hook that into the plugin? Or would each user of the plugin have to go and register their blog as an application and do some setup with the plugin?
If this is a read-only application you could register it once and have all sites effectively act as the same application. This increases the ease of installation but runs the risk of all sites breaking if one user misbehaves enough that we have to suspend the application.
For applications with write access I wouldn't recommend distributing the key/secret since each site would likely want their own source name (e.g. "from Matt's Blog"). In that case you would need to leave the token and secret blank and have each installation register themselves.
2. How are API limits handled with OAuth? What are the differences (if any)? Are the API limits logged by IP, by the user authenticating, or to the application?
There is a bug right now waiting to be fixed but after that it will work just like Basic Auth does. By user when authenticated, by IP address when not.
Thanks; — Matt Sanford / @mzsanford
