Speaking from personal experience, Twitter will not allow you to have
your consumer secret in plain text in (visible form in) your code.
I am working with Raffi and Taylor on a solution for this with scripted
apps where such a secret must be handled securely.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- All I ask is a chance to prove money can't make me happy. ------------------
> > We just updated our Twitter plugin for WordPress to use the new
> > OAuth API. Someone just asked if it was safe to store the consumer
> > key and consumer secret in plain text (which it basically has to be
> > as I understand it, since ultimately it needs to be sent to the
> > server in a plain text form). I can't really think of a way that
> > would work for all end users to protect the two. Ultimately I
> > guess this means that someone could pretend to be our application
> > if they wanted? Anyone have any thoughts on this or any possible
> > work arounds?
>
> Speaking from personal experience, Twitter will not allow you to have
> your consumer secret in plain text in (visible form in) your code.
How do you propose people do that for desktop/mobile apps? You have to
install the code on the user device, and that device at some point has
to generate the consumer secret in clear text, so it can be signed. An
intruder can examine the code and intercept the secret.
--
Bernd Stramm
<bernd....@gmail.com>
Without jumping the gun too much on Raffi, for this particular class of apps
the application secret must be generated for each instance. The trick is
doing this without inconveniencing users or forcing them to "become
developers". Streamlining this process is what we're working out.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- PRIVACY. IT'S EVERYONE'S BUSINESS. -- Evil, Inc. ---------------------------