How do I store the OAuth v1 consumer key and secret for an open source desktop Twitter client without revealing it to the user?
Posted
by
Justin Dearing
on Programmers
See other posts from Programmers
or by Justin Dearing
Published on 2011-08-08T01:24:51Z
Indexed on
2012/09/12
15:50 UTC
Read the original article
Hit count: 329
I want to make a thick-client, desktop, open source twitter client. I happen to be using .NET as my language and Twitterizer as my OAuth/Twitter wrapper, and my app will likely be released as open source.
To get an OAuth token, four pieces of information are required:
- Access Token (twitter user name)
- Access Secret (twitter password)
- Consumer Key
- Consumer Secret
The second two pieces of information are not to be shared, like a PGP private key. However, due to the way the OAuth authorization flow is designed, these need to be on the native app. Even if the application was not open source, and the consumer key/secret were encrypted, a reasonably skilled user could gain access to the consumer key/secret pair.
So my question is, how do I get around this problem? What is the proper strategy for a desktop Twitter client to protect its consumer key and secret?
© Programmers or respective owner