我可以避免将我的Twitter API消费者秘密加入我的iPhone应用程序二进制文件中 [英] Can I avoid baking my Twitter API consumer secret into my iPhone app binary?

问题描述

我想从iPhone应用程序为Twitter做OAuth。但这样做意味着我需要将我的API秘密与我的API密钥一起放入应用程序二进制文件中。这显然是不可取的。

Facebook支持会话代理以解决其API的并行问题。

我可以为Twitter做这样的事吗？

解决方案

简答：不。

OAuth是为网络创建的，效果非常好应用。它是圆孔中的方形钉，适用于原生应用。规范1.0a应该使它对于本机应用程序更加可行，但它没有什么帮助。

正如你所指出的，其中一个主要问题是消费者密钥必须存储在应用程序中。对于源代码访问受限的Web应用程序来说不是问题，但对于本机应用程序来说却是一个大问题。

另一个主要问题与它没有提供额外的安全性有关通过本机应用程序的标准登录表单，但我不会进入。

但是，如果你想获得更高的费率限制，那么Twitter就会强迫你与推文关联的应用程序名称，您别无选择。

避免在应用程序代码中使用使用者密钥的唯一方法是通过您自己的服务器代理所有请求。 / p>

I'd like to do OAuth for Twitter from an iPhone app. But doing so implies that I need to have my API secret alongside my API key baked into the application binary. This is obviously undesirable.

Facebook supports the notion of a session proxy to get around the parallel issue with their API.

Can I do something like this for Twitter?

解决方案

Short answer: No.

OAuth was created for and works really well for web applications. It's a square peg in a round hole for native applications. Specification 1.0a was supposed to make it more viable for native applications, but it does little to help.

As you pointed out, one of the main problems with it is that the consumer keys have to be stored in the application. Not a problem for web applications where access to the source is limited, but a big problem for native applications.

The other major problem has to do with it providing no additional security over standard login forms for native applications, but I won't get into that.

But since Twitter is forcing it on you if you want access to higher rate limits and your application name associated with Tweets, you have little choice.

The only way to avoid having the consumer key in your application code is to proxy all requests through your own server.

这篇关于我可以避免将我的Twitter API消费者秘密加入我的iPhone应用程序二进制文件中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！