15

I am developing an open source Python-powered Twitter client, and to access the Twitter API and login using OAuth, I have registered my client with Twitter and they have given me a unique consumer key and consumer token (henceforth to be referred to as "developer key"). These are unique to my client, and all copies of my client have to use the same developer key. Now, I have to use the developer key in a Python script (main.py) and since it is a script, there is no binary. Also, I have to upload my code to GitHub since I am using git on GitHub for content tracking. How do I keep my developer key secret? Please keep in mind that I plan to distribute the same client to users.

A keyring seems the best option, but I want a way that only the application can access the keyring, not even its users (outside the application). And nobody should be able to figure out how to access the keyring by looking at my code.

Note: "To use the Twitter API, the first thing you have to do is register a client application. Each client application you register will be provisioned a consumer key and secret. This key and secret scheme is similar to the public and private keys used in protocols such as ssh for those who are familiar. This key and secret will be used, in conjunction with an OAuth library in your programming language of choice, to sign every request you make to the API. It is through this signing process that we trust that the traffic that identifies itself is you is in fact you." - http://dev.twitter.com/pages/auth

tarantinofan
  • 236
  • 2
  • 9
  • I don't think this is possible. Given any proposed mechanism, why couldn't I just duplicate the code that implements it and run it external to the application? – aaronasterling Jan 05 '11 at 04:56
  • you should use xauth to get a oauth key from the user's name and password and then use that oauth key to do the requests – Dan D. Jan 05 '11 at 06:02
  • A developer needs to explain to Twitter his / her reasons for wanting xAuth, before getting permission to use xAuth. – tarantinofan Jan 05 '11 at 06:42

5 Answers5

8

You can use OAuth.io for this purpose.

The concept is simple:

  • you just have to put your API Keys in the key manager of OAuth.io
  • in your source code, use the OAuth.io's public key

Your secret key won't be leaked in this way.

Check this blogpost using Twitter API with OAuth.io: http://blog.oauth.io/api-call-using-twitter-api/

The complete sample code (in javascript) is on JSFiddle: http://jsfiddle.net/thyb/kZExJ/5

$('button').click(function() {
    OAuth.initialize('oEcDIQahkO4TUAND-yTs-H6oY_M') //OAuth.io public key
    OAuth.popup('twitter', function(err, res) {
        // res contains tokens (res.oauth_token and res.oauth_token_secret)
        res.get('/1.1/statuses/home_timeline.json').done(function(data) {
            // do what you want with data
        })
    })
})
Thibaud Arnault
  • 1,435
  • 14
  • 21
4

Extending on Apalala's answer, I believe what is meant is a 'proxy' web service. People send you their requests and you sign it on their behalf and send it to twitter, once they allow your application access of course.

You don't have to worry about people spamming you because they will have to log in to twitter anyway to use it.

Only problem, like anywhere else, is how do I trust your application enough to allow it in the first place :)

Bharath
  • 56
  • 1
3

The key must be outside the source code, and be passed to the program through the command line or a configuration file. There's no way to hide the key if you embed it in the source code (a debugger, f.i., will show it).

More importantly, to avoid collisions or users getting to know the key, one should not have different users share the same key . What's typically done is to set up a web service that knows the key and talks to the final server (Twitter). The client software would communicate with the service using a per-user key.

Apalala
  • 9,017
  • 3
  • 30
  • 48
  • I think a web service would be the best option, but someone could spoof it to get the key, right? The key that I am talking about is the "consumer key" and "consumer secret" that are the same across all instances of my client. – tarantinofan Jan 05 '11 at 05:37
  • 1
    How can they spoof a webservice that is on your hardware? Python client -> your web service (using whatever authentication you want your users to use with you) -> twitter api (using your consumer key and secret). All the users can do is hit your webservice, which would require some form of authentication (such as a key you distribute to each user). – Michael Shimmins Jan 05 '11 at 06:04
1

I would not distribute any key with the code; if people want to use it, they will just have to apply for their own key. Any other approach can be abused.

Hugh Bothwell
  • 55,315
  • 8
  • 84
  • 99
  • The key that I am talking about is the "consumer key" and "consumer secret" that are the same across all instances of my client. – tarantinofan Jan 05 '11 at 05:40
0

Create a configuration file where you will keep the key. Do not post the original configuration file into git-hub.

You can use Python Config Module (overkill) or YAML (my choice) or plain Files.

If you want people just to get up and running you can create a prompt which runs only the first time in a system and generate the configuration file by taking user input.

sheki
  • 8,991
  • 13
  • 50
  • 69
  • I haven't posted anything to GitHub. :) Currently, the consumer secret and the consumer key reside in .gitignore. But when people start using, they will need the same consumer secret and consumer key since these identify all instances of the client. – tarantinofan Jan 05 '11 at 05:41