How do I store the OAuth v1 consumer key and secret for an open source desktop Twitter client without revealing it to the user?

Posted by Justin Dearing on Programmers See other posts from Programmers or by Justin Dearing
Published on 2011-08-08T01:24:51Z Indexed on 2012/09/12 15:50 UTC
Read the original article Hit count: 329

I want to make a thick-client, desktop, open source twitter client. I happen to be using .NET as my language and Twitterizer as my OAuth/Twitter wrapper, and my app will likely be released as open source.

To get an OAuth token, four pieces of information are required:

  1. Access Token (twitter user name)
  2. Access Secret (twitter password)
  3. Consumer Key
  4. Consumer Secret

The second two pieces of information are not to be shared, like a PGP private key. However, due to the way the OAuth authorization flow is designed, these need to be on the native app. Even if the application was not open source, and the consumer key/secret were encrypted, a reasonably skilled user could gain access to the consumer key/secret pair.

So my question is, how do I get around this problem? What is the proper strategy for a desktop Twitter client to protect its consumer key and secret?

© Programmers or respective owner

Related posts about open-source

Related posts about desktop-application