OAuth - Consumer secret in open-source applications

故事扮演 提交于 2020-01-03 08:35:31

问题


I'm creating a Wordpress plugin for collectively managing a Twitter account. I want to allow the user to add accounts via the Admin panel similar to the way twitterfeed.com does.

However, the only way I can see of doing it is to get the user to sign in to their account, register the application under a unique name and paste in the Consumer Key and Consumer Secret to my application.

What are the security repercussions of simply distributing a single Consumer Key and Consumer Secret with my plugin, so that I can get the Request Token and Access Token and minimise the effort required by the user?


回答1:


As I understand it, the biggest issue (I'm not sure it's necessarily a security issue) is that someone will use your Key/Secret inappropriately (let's say a spamming application) causing it to get revoked. At that point, every instance of your plug-in will fail to authenticate and you'll have to generate a new one, incorporate it in your plug-in and get all the users to update. Which is probably not ideal...

Ars Technica had a pretty good write-up about it here



来源:https://stackoverflow.com/questions/4057277/oauth-consumer-secret-in-open-source-applications

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!