Hi I am newbie and i need clarification for the following 1)OAuth 1.0 specification says "All Token requests and Protected Resources requests MUST be signed by the Consumer"
But twitter doesnt seem to verify the signature for all requests. I found out that signing the request by consumer secret is required only for generating request token and request secret. But for subsequent requests consumer secret is not required. ex requesting access tokens or any protected resource (ex fetch direct messages). Is this desired behavior?. Does twitter verify the signature at all for protected resource requests? (i verified with blank consumer secret which means the request is signed only by access secret) Or Am i missing something? 2) i am planning to write a desktop application. To protect the consumer secret i am trying to introduce a proxy which generates the request tokens/secrets, access tokens/secrets. If consumer secret is not required for signing protected resource requests this setup would work fine with me. But the OAuth specification says you require both access secret and consumer secret to sign the request http://oauth.net/core/1.0/#anchor30 Experienced devs please clarify. Regards Srikanth