What is the best way to handle consumer secret keys for OAuth in plugins that will be distributed with/as source code (e.g. Wordpress plugins that access Delicious or Twitter)? I know OAuth is not designed with this in mind, and there are proposals to solve it, but what is the best practice at this moment?
There seem to be two approaches to this:
- Put your consumer secret in the source code (maybe obfuscate it a little bit), and hope no-one will abuse it and get your app banned. If someone does, request a new key and issue an update to your software. This is what Twitter recommends for the moment.
- Tell everyone to get their own consumer key. This might confuse non-developers who just know how to install a plugin, and hinders a quick try-out of your software
Are there any providers that help you automate the second step? So that your server could contact the provider and generate a new consumer secret, that is somehow linked to your app, but still unique? Or are there other approaches that are feasible?