问题
I'm creating a Wordpress plugin for collectively managing a Twitter account. I want to allow the user to add accounts via the Admin panel similar to the way twitterfeed.com does.
However, the only way I can see of doing it is to get the user to sign in to their account, register the application under a unique name and paste in the Consumer Key and Consumer Secret to my application.
What are the security repercussions of simply distributing a single Consumer Key and Consumer Secret with my plugin, so that I can get the Request Token and Access Token and minimise the effort required by the user?
回答1:
As I understand it, the biggest issue (I'm not sure it's necessarily a security issue) is that someone will use your Key/Secret inappropriately (let's say a spamming application) causing it to get revoked. At that point, every instance of your plug-in will fail to authenticate and you'll have to generate a new one, incorporate it in your plug-in and get all the users to update. Which is probably not ideal...
Ars Technica had a pretty good write-up about it here
来源:https://stackoverflow.com/questions/4057277/oauth-consumer-secret-in-open-source-applications