Is it good to implement OAuth in JS and exposing Consumer Secret and Key?


#1

I want to develope a Twitter client for Chrome. I have seen JS files of existing twitter extensions for Chrome. And found their consumer key and secrets are exposed. I believe It’s not the way that it should be.

I want to share my opinion that is server side. That user need to signup on my website. Have oAuth on that web. I will save their access tokens. And when they install my Chrome extension. I will ask them to login. And every time when they will tweet, I will fetch their access tokens online and made their tweet possible.

In this way, my keys will remain hidden. I don’t want to use Chrome OAuth. (http://code.google.com/chrome/extensions/tut_oauth.html)

Do you think my server side implementation of OAuth is better than JS implementaion?


#2

Yes, I think it is vastly superior with OAuth 1.0A to use a server-side approach. However, you’ll need to ensure that the procedure for negotiating and obtaining access tokens from your server is as secure as possible, which yields many of the same issues you would face by just including keys within the application/extension.