Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Tumblr API Discussion
Home
About this group
Apply for group membership
Message from discussion Keeping OAuth keys safe in open-source projects
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
John Bunting  
View profile  
 More options Sep 14 2012, 5:19 pm
From: John Bunting <jo...@tumblr.com>
Date: Fri, 14 Sep 2012 17:19:20 -0400
Local: Fri, Sep 14 2012 5:19 pm
Subject: Re: Keeping OAuth keys safe in open-source projects
Print | View thread | Show original | Report this message | Find messages by this author

OAuth2 is coming. We're currently working on it. A year ago we didn't see
enough of a real adoption to do it, but now most of the kinks seem to be
working out. It was part of one of the first posts on the developers blog.

We will release more as we get closer to it being ready.

Is there any twitter plugins for WordPress that auto tweet you could base a
design off of?
On Sep 14, 2012 5:03 PM, "Otto" <o...@ottodestruct.com> wrote:

> What I'm trying to write is a WordPress plugin. It's distributed as PHP
> code and run by users of WordPress. The code would be hosted on their own
> site, and used to import posts from Tumblr to WordPress, or possibly export
> posts from WordPress to Tumblr.

> The need to have that OAuth 1.0a signature is the only thing holding me
> back, really. The callback stuff works fine and I can get it to connect
> okay, but I can't distribute a secret since the plugin is just plaintext
> code, visible to everybody. And I really don't want to proxy everything
> through wordpress.org, because there are privacy issues involved in that
> case, and frankly we don't want to have access to people's Tumblr accounts
> anyway, we want them to be able to access their own accounts, on their own
> websites.

> I really wish you guys had gone with OAuth 2.0 instead, because then this
> would not be nearly as much of a problem. We could use some form of
> client-side authentication, much like Google permits, which doesn't need a
> secret or signature mechanism:
> https://developers.google.com/accounts/docs/OAuth2UserAgent

> -Otto

> On Friday, September 14, 2012 3:32:28 PM UTC-5, John Bunting wrote:

>> It really depends on what kind of an application you are writing. Is this
>> a binary being distributed? Is it a web app that the user runs locally? Is
>> the code being hosted somewhere? Are you writing a CLI app to just post
>> things to Tumblr?

>> In general, you can see how any open source twitter project stores tokens
>> for everyone since they are still running the oAuth1.0a spec. Generally,
>> you make a config file and have the user's place tokens in there.

>> There really isn't much more you can do.
>> On Sep 14, 2012 4:22 PM, "Otto" <ot...@ottodestruct.com> wrote:

>>> What is a better way to do this?

>>> I'm trying to write some open-source code to let end users authenticate
>>> to their Tumblr account and retrieve/post information from/to it, but
>>> obviously I cannot include a "secret" because then it wouldn't exactly be
>>> secret anymore...

>>> Your proposed solution is to make all users of the code pretend that
>>> they are 'developers' and go through the process of creating their own
>>> oAuth apps just for them to use, then to copy and paste thi slarge set of
>>> gibberish (to them) back into some configuration file somewhere or into
>>> some fields in the application.

>>> This is an awful lot to ask of users just for their programs to be able
>>> to talk to Tumblr.

>>> Note that the authentication worked fine with the old API. All the thing
>>> needed was their username and password, and it could talk to your servers
>>> just fine. But that's sort of off the table now that you disconnected
>>> everybody with no warning. Good job on that, BTW.

>>> -Otto

>>> On Sunday, September 9, 2012 10:05:52 PM UTC-5, John Bunting wrote:

>>>> The best way to do this would be to have the user have some kind of
>>>> configuration file where they would set their own consumer/secret keys or a
>>>> set of environment variables that store this information.

>>>> so for example, my ruby client requires either a .tumblr directory in
>>>> your home directory or for you to set your tokens in the script you are
>>>> writing.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google