I assume you have 2 versions: 1) the opensource code that developers can use and modify. You would not include your consumer key/secret and have instructions on how to get their own. Although you could include your consumer values as defaults and get free publicity from any projects that don't create and use their own. 2) the compiled version that end users will download and expect to just work. In these include your consumer key/secret but be aware that use them for limited nefarious purposes. Applications could take your consumer information and if they convince users to go through the authentication process make requests to the API that appear to be from your application.
Abraham On Sat, Jan 30, 2010 at 11:22, Raffi Krikorian <ra...@twitter.com> wrote: > what i would do is just make it clear to people who are using your open > source client that they need to register their downloaded application with > Twitter -- send them to http://twitter.com/apps/new, instruct them to fill > out the form, and build a simple "wizard" that they can cut and paste the > consumer token and secret into. > > On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com> wrote: > >> Some project (like dabr) put key and secret in config files. >> But I think it really suck for users who want to use my client with >> OAuth. Because they have to get a pair of key/secret and do configure >> themselves, and the this is not convenience for users. >> >> So I doubt that is it a good way to use OAuth in Desktop Client. >> >> On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote: >> > the leak of a consumer secret will not result in the compromising of >> user >> > accounts (the consumer secret is needed to get user secrets, but to get >> user >> > secrets require the user's intervention). >> > >> > however - do not put the consumer key and secret in the source of your >> code >> > and distribute it. instead, make it possible for your source to read >> the >> > consumer key and secret from a configuration, and distribute, with your >> > source code, a sample configuration file or a README that details how to >> > create one. >> > >> > hope that helps. >> > >> > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> >> wrote: >> > > if a twitter App's Consumer key and secret were leak out, is it >> > > possible to gain a user's access token without a user authentication >> > > process ? >> > >> > > I am writing a opensource desktop client and has implemented OAuth for >> > > it. However, I don't know is it suitable to put my key and secret in >> > > the source? Are there any risks if i do that? >> > >> > > Thx :) >> > >> > -- >> > Raffi Krikorian >> > Twitter Platform Teamhttp://twitter.com/raffi >> > > > > -- > Raffi Krikorian > Twitter Platform Team > http://twitter.com/raffi > -- Abraham Williams | Community Advocate | http://abrah.am Project | Out Loud | http://outloud.labs.poseurtech.com This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States
