I want to make a thick-client, desktop, open source twitter client. I happen to be using .NET as my language and Twitterizer as my OAuth/Twitter wrapper, and my app will likely be released as open source.
To get an OAuth token, four pieces of information are required:
- Access Token (twitter user name)
- Access Secret (twitter password)
- Consumer Key
- Consumer Secret
The second two pieces of information are not to be shared, like a PGP private key. However, due to the way the OAuth authorization flow is designed, these need to be on the native app. Even if the application was not open source, and the consumer key/secret were encrypted, a reasonably skilled user could gain access to the consumer key/secret pair.
So my question is, how do I get around this problem? What is the proper strategy for a desktop Twitter client to protect its consumer key and secret?
Best Answer
Section 4.6 of RFC 5849, which defines OAuth 1, states that the consumer secret was never intended for use by desktop consumers, despite Twitter's use thereof in practice. As Nelson Elhage pointed out in "Dear Twitter", Twitter can and does terminate consumer keys of desktop clients, provided that the client isn't too big to fail. But there are two workarounds to allow use of OAuth 1 in a desktop or mobile application.
One way is to proxy the entire Twitter protocol through a server that you operate. This way, the consumer secret stays on your server. This is the workaround recommended by Dick Hardt, editor of the OAuth 1 spec. This workaround does not address the cost of operating this server.
The other way, as suggested in a post by Raffi Krikorian to the Twitter development talk Google group and a post by Chris Steipp to a Wikipedia mailing list, is to "have each user register their copy of your desktop application as its own consumer." Then the user would copy and paste the newly registered consumer key and consumer secret into your application. The manual for your application would then need to include detailed instructions on how to register a new application on Twitter's developer site. This official limitation has a few practical problems: