views:

391

answers:

2

I'd like to do OAuth for Twitter from an iPhone app. But doing so implies that I need to have my API secret alongside my API key baked into the application binary. This is obviously undesirable.

Facebook supports the notion of a session proxy to get around the parallel issue with their API.

Can I do something like this for Twitter?

+10  A: 

Short answer: No.

OAuth was created for and works really well for web applications. It's a square peg in a round hole for native applications. Specification 1.0a was supposed to make it more viable for native applications, but it does little to help.

As you pointed out, one of the main problems with it is that the consumer keys have to be stored in the application. Not a problem for web applications where access to the source is limited, but a big problem for native applications.

The other major problem has to do with it providing no additional security over standard login forms for native applications, but I won't get into that.

But since Twitter is forcing it on you if you want access to higher rate limits and your application name associated with Tweets, you have little choice.

The only way to avoid having the consumer key in your application code is to proxy all requests through your own server.

chrissr
+1  A: 

Some put the key into a settings-type file that the application will read. Others store the key in a database file local to the app. Others store the key on their own server and the native app connects to the server to get the key and secret.

Eclipsed4utoo