Some project (like dabr) put key and secret in config files. But I think it really suck for users who want to use my client with OAuth. Because they have to get a pair of key/secret and do configure themselves, and the this is not convenience for users.
So I doubt that is it a good way to use OAuth in Desktop Client. On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote: > the leak of a consumer secret will not result in the compromising of user > accounts (the consumer secret is needed to get user secrets, but to get user > secrets require the user's intervention). > > however - do not put the consumer key and secret in the source of your code > and distribute it. instead, make it possible for your source to read the > consumer key and secret from a configuration, and distribute, with your > source code, a sample configuration file or a README that details how to > create one. > > hope that helps. > > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> wrote: > > if a twitter App's Consumer key and secret were leak out, is it > > possible to gain a user's access token without a user authentication > > process ? > > > I am writing a opensource desktop client and has implemented OAuth for > > it. However, I don't know is it suitable to put my key and secret in > > the source? Are there any risks if i do that? > > > Thx :) > > -- > Raffi Krikorian > Twitter Platform Teamhttp://twitter.com/raffi