Protected Resources requests need not be signed by the Consumer secret?

12 views
Skip to first unread message

srikanth yaradla

unread,
Jul 25, 2009, 7:37:24 AM7/25/09
to Twitter Development Talk
Hi
I am newbie and i need clarification for the following

1)OAuth 1.0 specification says "All Token requests and Protected
Resources requests MUST be signed by the Consumer"

But twitter doesnt seem to verify the signature for all requests. I
found out that signing the request by consumer secret is required only
for generating request token and request secret.
But for subsequent requests consumer secret is not required. ex
requesting access tokens or any protected resource (ex fetch direct
messages). Is this desired behavior?.
Does twitter verify the signature at all for protected resource
requests? (i verified with blank consumer secret which means the
request is signed only by access secret) Or Am i missing something?

2) i am planning to write a desktop application. To protect the
consumer secret i am trying to introduce a proxy which generates the
request tokens/secrets, access tokens/secrets. If consumer secret is
not required for signing protected resource requests this setup would
work fine with me.
But the OAuth specification says you require both access secret and
consumer secret to sign the request
http://oauth.net/core/1.0/#anchor30

Experienced devs please clarify.

Regards
Srikanth

Duane Roelands

unread,
Jul 28, 2009, 9:00:03 AM7/28/09
to Twitter Development Talk
I've been using both consumer keys to sign all of my requests from day
one.

I still think the issue is related to URL encoding somehow, because I
can successfully post tweets if they don't contain troublesome
characters (apostrophe, for example).

But, so long as Twitter remains silent, we'll never know.

On Jul 25, 7:37 am, srikanth yaradla <srikanth.yara...@gmail.com>
wrote:
> Hi
> I am newbie and i need clarification for the following
>
> 1)OAuth 1.0 specification says "All Token requests and Protected
> Resources requests MUST be signed by theConsumer"
>
> But twitter doesnt seem to verify the signature for all requests. I
> found out that signing the request byconsumersecretis required only
> for generating request token and requestsecret.
> But for subsequent requestsconsumersecretis not required. ex
> requesting access tokens or any protected resource (ex fetch direct
> messages). Is this desired behavior?.
> Does twitter verify the signature at all for protected resource
> requests? (i verified with blankconsumersecretwhich means the
> request is signed only by accesssecret) Or Am i missing something?
>
> 2) i am planning to write a desktop application. To protect theconsumersecreti am trying to introduce a proxy which generates the
> request tokens/secrets, access tokens/secrets. Ifconsumersecretis
> not required for signing protected resource requests this setup would
> work fine with me.
> But the OAuth specification says you require both accesssecretandconsumersecretto sign the request

srikanth reddy

unread,
Jul 28, 2009, 10:38:01 AM7/28/09
to twitter-deve...@googlegroups.com
I dont think you got my point. Whether you were signing using both secrets or one secret doesnt matter because twitter wasnt verifying signature at all. Now they have fixed this and all your protected service requests must be signed by both secrets.
My problem is how to protect the consumer secret. Looks like i cant protect it as this is the case with desktop clients using oauth

Duane Roelands

unread,
Jul 28, 2009, 10:43:07 AM7/28/09
to Twitter Development Talk
I have the same issue with my application. Desktop apps are forced to
either embed the consumer keys in source code or construct some sort
of elaborate server mechanism. There's no good answer here.

When my application approaches 1.0 release, I'll probably use
Dotfuscator or something similar to help protect the keys that are in
the source. It won't stop a determined attacker, but it will at least
deter the less-determined ones.

On Jul 28, 10:38 am, srikanth reddy <srikanth.yara...@gmail.com>
wrote:
> I dont think you got my point. Whether you were signing using both secrets
> or one secret doesnt matter because twitter wasnt verifying signature at
> all. Now they have fixed this and all your protected service requests must
> be signed by both secrets.
> My problem is how to protect the consumer secret. Looks like i cant protect
> it as this is the case with desktop clients using oauth
>
Reply all
Reply to author
Forward
0 new messages