开发者

OAuth consumer keys in plugins

What is the best way to handle consumer secret keys for OAuth in plugins that will be distributed with/as source code (e.g. Wordpress plugins that access Delicious or Twitter)? I know OAuth is not designed with this in mind, an开发者_StackOverflow社区d there are proposals to solve it, but what is the best practice at this moment?

There seem to be two approaches to this:

  1. Put your consumer secret in the source code (maybe obfuscate it a little bit), and hope no-one will abuse it and get your app banned. If someone does, request a new key and issue an update to your software. This is what Twitter recommends for the moment.
  2. Tell everyone to get their own consumer key. This might confuse non-developers who just know how to install a plugin, and hinders a quick try-out of your software

Are there any providers that help you automate the second step? So that your server could contact the provider and generate a new consumer secret, that is somehow linked to your app, but still unique? Or are there other approaches that are feasible?


A third option is to host a web application that acts as a proxy to whatever OAuth service you are using. All of your API keys stay under your control on your server. The downside is that you need to spend money to keep a machine running. As a bonus you can collect some analytics on the usage of your plugin.

Option two is possible if you think your users will be technical enough to generate their own API keys. I've implemented this method and it's a pain to support.

I don't recommend the first approach as people could steal your OAuth key and pretend to be your application. Once your API key is in the wild, the service will block your API key and your plugin will stop working. Then you'll scramble to try and upgrade a bunch of code that you don't have control of anymore.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜