How does one use oauth in a FLOSS app where we can't keep a secret key?
How does one use oauth in a FLOSS app where we can't keep a secret key? If other see the secret and the key, can't he 开发者_如何学运维use it to use the user account as if he where me?
I have dealt with the issue in my own open source Twitter apps.
You do NOT distribute the ConsumerKey or ConsumerKeySecret with your source code. A reasonable approach is to create two constants/global variables (or whatever) that hold these values, and these are EMPTY in the source that you publish. Include some documentation that explains to other developers how to acquire their own keys and how to modify the source to install them.
If you are distributing compiled binaries, you would compile with the ConsumerKey and ConsumerKeySecret values populated so the application runs.
There is no -perfectly secure- way to handle this; it's the nature of OAuth. You can, however, be -reasonably- secure, and that's what this approach achieves.
精彩评论