2

What is the best way to handle consumer secret keys for OAuth in plugins that will be distributed with/as source code (e.g. Wordpress plugins that access Delicious or Twitter)? I know OAuth is not designed with this in mind, and there are proposals to solve it, but what is the best practice at this moment?

There seem to be two approaches to this:

  1. Put your consumer secret in the source code (maybe obfuscate it a little bit), and hope no-one will abuse it and get your app banned. If someone does, request a new key and issue an update to your software. This is what Twitter recommends for the moment.
  2. Tell everyone to get their own consumer key. This might confuse non-developers who just know how to install a plugin, and hinders a quick try-out of your software

Are there any providers that help you automate the second step? So that your server could contact the provider and generate a new consumer secret, that is somehow linked to your app, but still unique? Or are there other approaches that are feasible?

Community
  • 1
  • 1
Jan Fabry
  • 7,221
  • 2
  • 36
  • 41
  • Is this still the best advice, to obfuscate the key? Let's not call that security, though, ok? What did WordPress end up doing? – Doug Blank Feb 28 '11 at 19:56
  • @DSBlank: There is no official WordPress solution since this is handled in plugins developed by external developers. So there could be multiple implementations that use different strategies. I believe [the second version of OAuth removes the need for secret consumer keys](http://hueniverse.com/2010/05/introducing-oauth-2-0/), but I'm not sure about that. – Jan Fabry Feb 28 '11 at 20:06

1 Answers1

1

A third option is to host a web application that acts as a proxy to whatever OAuth service you are using. All of your API keys stay under your control on your server. The downside is that you need to spend money to keep a machine running. As a bonus you can collect some analytics on the usage of your plugin.

Option two is possible if you think your users will be technical enough to generate their own API keys. I've implemented this method and it's a pain to support.

I don't recommend the first approach as people could steal your OAuth key and pretend to be your application. Once your API key is in the wild, the service will block your API key and your plugin will stop working. Then you'll scramble to try and upgrade a bunch of code that you don't have control of anymore.

devin_s
  • 3,345
  • 1
  • 27
  • 32