How it is possible to not expose you secret key with a Javascript OAuth library?

Question

Looking at Twitter OAuth Libraries, I saw this note:

Be cautious when using JavaScript with OAuth. Don\'t expose your keys.

Then, lo

Answer 1

The only really reasonable way, right now, to do OAuth 1 in the browser, is to route API-calls via your server.

There simply is no way, as far as I have understood it, around this. If you do OAuth 1.0a calls through JavaScript from the browser -> You will HAVE to expose your consumer secret and access token secret, to at least the end user.

You cannot store these credentials in:

• a cookie, the user can find them.
• local storage, the user can find them (better than cookie though, since it does not entail sending a cookie back and forth all the time over HTTP)
• in javascript, the user can find them (although this is probably your best bet since it is easier to obscure).

If it were only the access token secret that was exposed to the end user, that would be bearable - since it is in fact he/she who have authenticated your application. But losing your consumer secret is really not so hot, it means that your application is eligible for identity theft. I.e someone else could write an app that claims to be your app.

Even if you made it work securely in the browser, you are hampered by cross domain security blocks.