Skip to first unread message
derek.riemer
Feb 13, 2014, 7:33:33 PM2/13/14
to cu-ha...@googlegroups.com
Hi,
I am making a twitter app for my screen reader.
The screen reader is open source. Withtwitter I have to have a consumer key and consumer secret. I am curious to know how can I put the consumer secret in my program which is open source as well and not make it human readable. With an encription key, the user could read the encription key in the program, and unencrypt it there, so that is out of the question. I don't want people to have the details necessary to use oauth for my app. Any responses would be appriciated.
Thanks,
Derek
I am making a twitter app for my screen reader.
The screen reader is open source. Withtwitter I have to have a consumer key and consumer secret. I am curious to know how can I put the consumer secret in my program which is open source as well and not make it human readable. With an encription key, the user could read the encription key in the program, and unencrypt it there, so that is out of the question. I don't want people to have the details necessary to use oauth for my app. Any responses would be appriciated.
Thanks,
Derek
Andy Sayler
Feb 13, 2014, 7:47:03 PM2/13/14
to derek.riemer, cu-ha...@googlegroups.com
The normal solution to this issue is to put the keys in a separate config file that doesn't get commit to version control or shipped with the open source code dumps. People using your code should get their own API keys and put them in their own versions of teh config file. Yours should stay private and not get distributed.
Eventually, you generally switch to a system for taking someone's normal twitter (or API of your choice) login and generating the required keys automatically form that via oath, etc. Then users of you app just have to provide their login info when they start t the first time, similar to but simpler than adding their own API keys to a config file.
Even if you could magically protect your key while also shipping it with your app, that would be a bad idea. That key is tied to your twitter identity, and thus anyone using your app would have their API activity logged to your account. That is bad. Users should be using their own API keys and.or twitter login, not yours. The correct solution is to use OAuth or to for easier to get their own API keys.
--
You received this message because you are subscribed to the Google Groups "cu-hackers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cu-hackers+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cu-hackers/f83c506d-d56d-4de3-b25b-fe3576e422e0%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
derek.riemer
Feb 13, 2014, 7:57:46 PM2/13/14
to cu-ha...@googlegroups.com, derek.riemer
um wrong post. Sorry, human error.
Andy Sayler
Feb 14, 2014, 12:43:59 AM2/14/14
to derek.riemer, cu-ha...@googlegroups.com
On Thu, Feb 13, 2014 at 5:54 PM, derek.riemer <derek....@colorado.edu> wrote:
So I register a app with twitter still? Then I use the person's webbrowser to connect with their twitter account and get the required info correct?
I'm not an expert on Twitter's API, but it looks like you're using the Application-Only Auth option. This option seems primarily designed for us by backend and private services, not multi-user apps. If you want a system that other people can use to access twitter, you should probably switch to the alternate OAuth system which is better designed for multi-user apps since it allows each user to log into the app using their own personal Twitter credentials and then the app speaks with twitter on the user's behalf.
-Andy
To view this discussion on the web visit https://groups.google.com/d/msgid/cu-hackers/373c59fe-e711-4657-9884-64eda3ceef00%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages