1

I've had my consumer key and secret hardcoded into the app I worked on.

Now I'd like to lock down the keys so that only admins can access the consumer key/secret.

I'd like to reset my application keys but keep my users' access keys and secrets in place, so they won't be forces to reauth.

From the test I ran it looked like that's fine (old access_keys continued to work hashed with the new app keys).

Is that correct? ie, is that possible, and if so, is it part of some OAuth standard or twitter specific?

Edit: From experience, I've now seen that the users' access tokens are not invalidated. This is not something general about OAuth, just Twitter.

edibleEnergy
  • 1,739
  • 1
  • 13
  • 15
  • If it works it is a major implementation flaw in Twitter. That would mean that any consumer could use any access token out there. I would be very surprised if this was the case. – Jon Nylander May 22 '12 at 20:33
  • I disagree, they can hash $app_consumer_secret + $user_access_secret and check that it matches the hash created with that combo on the client, regardless of the $app_consumer_secret in place when it was issued, as they have all the credentials on their end. – edibleEnergy May 22 '12 at 20:39
  • You're right, but I am not sure I follow your reasoning. I did a quick investigation and added an answer. – Jon Nylander May 22 '12 at 21:17

2 Answers2

1

In theory it should not work, because the oAuth access token is tied to the consumer key and consumer secret provided by Twitter.

1

Actually, you're right, it will work because you reset the consumer credentials for your already existing app. With a new consumer key/secret pair for the existing app I see no reason why this would not work.

The access token is connected to the application, not to the application credentials. This however means that existing access tokens will not work with any new application you create.

Jon Nylander
  • 8,743
  • 5
  • 34
  • 45