I have been working on setting up a service provider and saw that, to make a request on behalf of a user, all that seems to be needed is the Consumer Key/Secret and the Token Key/Secret.
What stops a consumer from registering with my service provider, getting some users to authorize access to some of their data, and then giving the access token and consumer information away to a 3rd party?
Does this come down to a trust issue that we have to put trust in our consumers that they wouldn't do this? Is there any wa开发者_运维百科y we can prevent this kind of activity via any monitoring? We want to provide an OAuth solution but we don't want to have to worry extensively about a malicious consumer.
Thanks for any insight.
There are four tokens involved in Twitter's OAuth implementation.
- Consumer Key
- Consumer Key Secret
- OAuth Token
- Oauth Token Secret
In the case of a web application, the end user never has access to tokens 1 & 2 because they're never transmitted to the client. The communication with the Twitter API is server-to-server. In this scenario, there's less risk.
In the case of a desktop application, the "Consumer" keys are usually embedded in the binary in some way. This is an acknowledged security problem with Twitter's implementation of OAuth. A determined person can decompile/crack/unobfuscate just about any binary to get your Consumer Keys.
So, to answer your question: In the case of desktop/mobile apps, it's absolutely a question of trust. In the case of web apps, it is less so.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论