On Jan 20, 4:50 pm, Cameron Kaiser <spec...@floodgap.com> wrote: > The problem here is distinguishing the two. OAuth doesn't (and I was > told this by one of the people on the OAuth committee) specifically > allow you to unambiguously and securely identify an application just > because it has a certain app key
Huh? Can you translate this into either English or pseudo-code? I fill out a form. The app gets a name, which must be unique. And I choose between a desktop exclusive-or server app (PIN workflow exclusive-or callback workflow) with a radio button. I get a consumer key and consumer secret, also, I'm assuming, unique. So now I run that app. I send packets back and forth between the app / my IP address and Twitter's servers / Twitter's IP addresses. Are you saying Twitter can't distinguish my oAuth app running on my IP address from another oAuth app running on a different IP address? You don't know where I am and what I'm running? You don't know which of 30 users of my app from different machines is acting abusively?