Wishful Coding

Didn't you ever wish your
computer understood you?

Twitter OAuth for Open Source clients

After reading these two articles about how to compromise Twitter tokens from a client and about how Twitter is abusing OAuth secrets and screwing OS clients by blocking their tokens, I came up with the following plan.

key = "your key"
secret = "your secret"

    request = sign(twitter.com/verify_credentials, key, secret)
except 401
    key = "BigFish key"
    secret = "BigFish secret"

I really love Twitter and the Twitter API, but it is obvious by now that Twitter does not care about small OSS projects.

I propose small Open Source Twitter clients to use tokens from the big fish as a fallback for their own tokens. This will allow small clients to continue to work after their tokens are blocked(albeit under the big fish name), unless Twitter blocks their own clients as well or faces the fact that their approach doesn't work.

A more politically correct option would be to write an OAuth Echo service that stores your tokens in a secure place, and accepts request without a secret. Take your pick.