I don't want to share my consumer secret with you ! ... But how to do ? [distributed application]


#1

Hey,

I’m coding a future web distributed application (a kind of twitter friends discover).
When I say “distributed application”, I want to say that people download my source code and upload it to their FTP. They launch their browser, go to their webpages and connect my application with their twitter account. And it works.

Ok, but… How to distribute my app without putting my consumer secret in the source code ? I don’t want that people have to create a new app on “twitter.com/apps” and put their own key… it really is not practical for them.

Thx in advance.


#2

There’s no practical way to distribute the consumer key and secret without compromising a little bit of security in the process. You’re not strictly forbidden from distributing unprivileged keys & secrets (you must use a standard OAuth flow), but you also take a certain amount of responsibility for the API keys and the potential abuse that can arise from having them publicly available.

I recommend making it easy for you to distribute new releases to update API keys when it is necessary for them to be reset as the result of abuse. Make sure that your contact information associated with the application and account are complete & accurate.

Another alternative is omitting API keys and asking users installing the application to register an application on dev.twitter.com and then import their keys into the application.


#3

Thank you !

It’s clear for me now.
But specifically, what are the risks I take by broadcasting my secret key ?

Twitter can block my API key because some users abuse with my app ? (=> to more requests ? fraudulent use ?)

thank you again


#4

so that they make OAuth 2.0 but twitter not upgrade to it till now