Keeping OAuth keys safe in open-source projects

179 views
Skip to first unread message

gcr

unread,
Sep 9, 2012, 11:02:33 PM9/9/12
to tumbl...@googlegroups.com
Hey guys,

I'm writing a Tumblr client for Emacs. Because this is an open-source elisp project, I have to ship my API consumer key *and* my API secret key along with the rest of the source code, and emacs makes it trivial to recover these variables while the program is running anyway.

Is this a problem? How do other open-source clients address this?

What's the right way of doing this? I don't want to set up a web proxy to proxy API calls (insecure/hassle).

John Bunting

unread,
Sep 9, 2012, 11:05:31 PM9/9/12
to tumbl...@googlegroups.com
The best way to do this would be to have the user have some kind of configuration file where they would set their own consumer/secret keys or a set of environment variables that store this information.

so for example, my ruby client requires either a .tumblr directory in your home directory or for you to set your tokens in the script you are writing.
--
John Bunting

Simplicity is prerequisite for reliability
    --Edsger W. Dijkstra


Otto

unread,
Sep 14, 2012, 4:22:26 PM9/14/12
to tumbl...@googlegroups.com
What is a better way to do this?

I'm trying to write some open-source code to let end users authenticate to their Tumblr account and retrieve/post information from/to it, but obviously I cannot include a "secret" because then it wouldn't exactly be secret anymore...

Your proposed solution is to make all users of the code pretend that they are 'developers' and go through the process of creating their own oAuth apps just for them to use, then to copy and paste thi slarge set of gibberish (to them) back into some configuration file somewhere or into some fields in the application. 

This is an awful lot to ask of users just for their programs to be able to talk to Tumblr. 

Note that the authentication worked fine with the old API. All the thing needed was their username and password, and it could talk to your servers just fine. But that's sort of off the table now that you disconnected everybody with no warning. Good job on that, BTW.

-Otto

John Bunting

unread,
Sep 14, 2012, 4:32:27 PM9/14/12
to tumbl...@googlegroups.com

It really depends on what kind of an application you are writing. Is this a binary being distributed? Is it a web app that the user runs locally? Is the code being hosted somewhere? Are you writing a CLI app to just post things to Tumblr?

In general, you can see how any open source twitter project stores tokens for everyone since they are still running the oAuth1.0a spec. Generally, you make a config file and have the user's place tokens in there.

There really isn't much more you can do.

Otto

unread,
Sep 14, 2012, 5:03:12 PM9/14/12
to tumbl...@googlegroups.com
What I'm trying to write is a WordPress plugin. It's distributed as PHP code and run by users of WordPress. The code would be hosted on their own site, and used to import posts from Tumblr to WordPress, or possibly export posts from WordPress to Tumblr.

The need to have that OAuth 1.0a signature is the only thing holding me back, really. The callback stuff works fine and I can get it to connect okay, but I can't distribute a secret since the plugin is just plaintext code, visible to everybody. And I really don't want to proxy everything through wordpress.org, because there are privacy issues involved in that case, and frankly we don't want to have access to people's Tumblr accounts anyway, we want them to be able to access their own accounts, on their own websites.

I really wish you guys had gone with OAuth 2.0 instead, because then this would not be nearly as much of a problem. We could use some form of client-side authentication, much like Google permits, which doesn't need a secret or signature mechanism: https://developers.google.com/accounts/docs/OAuth2UserAgent

-Otto

John Bunting

unread,
Sep 14, 2012, 5:19:20 PM9/14/12
to tumbl...@googlegroups.com

OAuth2 is coming. We're currently working on it. A year ago we didn't see enough of a real adoption to do it, but now most of the kinks seem to be working out. It was part of one of the first posts on the developers blog.

We will release more as we get closer to it being ready.

Is there any twitter plugins for WordPress that auto tweet you could base a design off of?

Otto

unread,
Sep 14, 2012, 5:50:18 PM9/14/12
to tumbl...@googlegroups.com
There are indeed (my Twitter plugin is pretty popular), and yes, they have the same basic problem. Twitter's derpy API basically requires every user of the plugin to create their own developer application. Oh, and for extra enjoyment, Twitter's implementation of OAuth doesn't support oauth_callback, so you have to define your callback in the Application config in advance, and can't have it specified by the API call itself, so there's users constantly putting in the wrong callbacks when they create their own Application. 

The process of creating a developer application is just highly user-unfriendly, basically, but end-users, and not programmers, are the ones having to do just this sort of thing. There's 30 million odd websites running WordPress out there, those people running them and wanting to connect them to third-party services and systems aren't programmers. 

Facebook has only recently recognized this fact and is revamping their process of App creation. Google has ways of getting around it for some calls, but for some specific cases it's still required (and their process is *extremely* user-unfriendly). 

I'm not surprised by Tumblr getting it wrong too, but Tumblr is the only service I've seen that has a decent mechanism for feedback (this forum) where I could even air the problems out. Twitter has no such mechanism to tell them that their API is just broken.

-Otto

Weebs

unread,
Sep 15, 2012, 12:50:37 PM9/15/12
to tumbl...@googlegroups.com
On the other hand if they did use your developer key and your key got revoked, you would have thousands of your "users" with the same problem. I think you need to rethink which API features you want to use when putting your code out there without accepting any responsibility for others doing things on your behalf.
Reply all
Reply to author
Forward
0 new messages