just to follow up on this, we're working on an oauth 2.0
implementation (of which we are contributors/authors to the spec).
that does have a profile which makes it possible to write JavaScript
oauth clients without compromising the keys. I can't give a date yet,
however, as the spec is not even finalized yet. if people are
interested, I can circulate a URL to the draft.
On Apr 11, 2010, at 9:23 AM, Taylor Singletary <[email protected]
> wrote:
Safe to send the requests, yes. Safe to sign them, no.
In pure Javascript OAuth 1.0A implementations, your consumer secret
will have to appear somewhere in your Javascript code to sign the
requests. The visibility of your secret compromises your API keys
and requests, putting your application and user's reputations &
security at risk. There's always a risk of secret discovery in
desktop or pure client applications, but it's riskiest when the
secret is in plain sight.
Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod
On Sun, Apr 11, 2010 at 12:09 AM, Karolis <[email protected]> wrote:
Hello lively community,
I am in the process of building web app based on a Twitter Data.
Currently all my app is based on javascript and everything happens
client side.
However, due to API rate limitations and because some of the twitter
request have to be authenticated (users/lookup) - i have to use oauth
authentication.
Now my question is it safe to send api requests authenticated by OAUTH
via ajax calls which are happening on client side?
Thanks in advance
karolis
--
To unsubscribe, reply using "remove me" as the subject.
