I have the same issue with my application. Desktop apps are forced to either embed the consumer keys in source code or construct some sort of elaborate server mechanism. There's no good answer here.
When my application approaches 1.0 release, I'll probably use Dotfuscator or something similar to help protect the keys that are in the source. It won't stop a determined attacker, but it will at least deter the less-determined ones. On Jul 28, 10:38 am, srikanth reddy <srikanth.yara...@gmail.com> wrote: > I dont think you got my point. Whether you were signing using both secrets > or one secret doesnt matter because twitter wasnt verifying signature at > all. Now they have fixed this and all your protected service requests must > be signed by both secrets. > My problem is how to protect the consumer secret. Looks like i cant protect > it as this is the case with desktop clients using oauth > > On Tue, Jul 28, 2009 at 6:30 PM, Duane Roelands > <duane.roela...@gmail.com>wrote: > > > > > > > I've been using both consumer keys to sign all of my requests from day > > one. > > > I still think the issue is related to URL encoding somehow, because I > > can successfully post tweets if they don't contain troublesome > > characters (apostrophe, for example). > > > But, so long as Twitter remains silent, we'll never know. > > > On Jul 25, 7:37 am, srikanth yaradla <srikanth.yara...@gmail.com> > > wrote: > > > Hi > > > I am newbie and i need clarification for the following > > > > 1)OAuth 1.0 specification says "All Token requests and Protected > > > Resources requests MUST be signed by theConsumer" > > > > But twitter doesnt seem to verify the signature for all requests. I > > > found out that signing the request byconsumersecretis required only > > > for generating request token and requestsecret. > > > But for subsequent requestsconsumersecretis not required. ex > > > requesting access tokens or any protected resource (ex fetch direct > > > messages). Is this desired behavior?. > > > Does twitter verify the signature at all for protected resource > > > requests? (i verified with blankconsumersecretwhich means the > > > request is signed only by accesssecret) Or Am i missing something? > > > > 2) i am planning to write a desktop application. To protect > > theconsumersecreti am trying to introduce a proxy which generates the > > > request tokens/secrets, access tokens/secrets. Ifconsumersecretis > > > not required for signing protected resource requests this setup would > > > work fine with me. > > > But the OAuth specification says you require both > > accesssecretandconsumersecretto sign the request > > > http://oauth.net/core/1.0/#anchor30 > > > > Experienced devs please clarify. > > > > Regards > > > Srikanth
