Well, I use python to write my application. Although I can distribute it with '.pyo' files which only contain bytecode, it's really not hard to obtain the key/secret for a end user. Decompiling is always able to succeed for the people who want to discover the secrets in the program. Yes you are right.
On Jan 31, 8:35 am, funkatron <funkat...@gmail.com> wrote: > Not to be a complete pill, but that is a terrible, terrible initial > experience for the average desktop app user. There is no way I would > or could reasonably ask one of my users to register an app themselves, > then fill in obscure hashes. > > The OAuth secret is simply impossible to use securely with open > source, end-user-oriented applications. My only option with Spaz, when > Twitter decides to take away basic auth, is to pray someone doesn't > decide to steal my "secret" hash. > > Compiling does make getting the key more difficult, but assuming that > desktop apps are compiled isn't a good idea -- Spaz isn't, for > example. I could obscure the code for the end user, I suppose, but > doing so seems contrary to open source philosophy, and probably just > presents a challenge. > > OAuth as-is just wasn't designed for desktop apps, period. Square peg, > round hole. If Twitter is insisting on it, I'd rather this was > portrayed as a trade-off for increased user security, than a solvable > problem -- I don't think it is. > > On Jan 30, 2:22 pm, Raffi Krikorian <ra...@twitter.com> wrote: > > > > > what i would do is just make it clear to people who are using your open > > source client that they need to register their downloaded application with > > Twitter -- send them tohttp://twitter.com/apps/new, instruct them to fill > > out the form, and build a simple "wizard" that they can cut and paste the > > consumer token and secret into. > > > On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well <5h3l...@gmail.com> wrote: > > > Some project (like dabr) put key and secret in config files. > > > But I think it really suck for users who want to use my client with > > > OAuth. Because they have to get a pair of key/secret and do configure > > > themselves, and the this is not convenience for users. > > > > So I doubt that is it a good way to use OAuth in Desktop Client. > > > > On Jan 30, 1:35 am, Raffi Krikorian <ra...@twitter.com> wrote: > > > > the leak of a consumer secret will not result in the compromising of > > > > user > > > > accounts (the consumer secret is needed to get user secrets, but to get > > > user > > > > secrets require the user's intervention). > > > > > however - do not put the consumer key and secret in the source of your > > > code > > > > and distribute it. instead, make it possible for your source to read > > > > the > > > > consumer key and secret from a configuration, and distribute, with your > > > > source code, a sample configuration file or a README that details how to > > > > create one. > > > > > hope that helps. > > > > > On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <5h3l...@gmail.com> wrote: > > > > > if a twitter App's Consumer key and secret were leak out, is it > > > > > possible to gain a user's access token without a user authentication > > > > > process ? > > > > > > I am writing a opensource desktop client and has implemented OAuth for > > > > > it. However, I don't know is it suitable to put my key and secret in > > > > > the source? Are there any risks if i do that? > > > > > > Thx :) > > > > > -- > > > > Raffi Krikorian > > > > Twitter Platform Teamhttp://twitter.com/raffi > > > -- > > Raffi Krikorian > > Twitter Platform Teamhttp://twitter.com/raffi
