Home/ Questions/Q 7997577
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T14:59:46+00:00

I have an input field on my webpage that I would like to allow

  • 0

I have an input field on my webpage that I would like to allow users to tweet. I know I can do this using Oauth but because I am using JavaScript it is insecure since my id and secret would be visible. Is there a better way to do this?

The way I am doing it now is something like this:

var accessor = {
  token: "...",
  tokenSecret: "...",
  consumerSecret: "..."
  consumerKey : "...",
};

  //create message with input field text
  var message = {
  action: url,
  method: "GET",
  parameters: {...}
};

OAuth.completeRequest(message, accessor);        
OAuth.SignatureMethod.sign(message, accessor);
url = url + '?' + OAuth.formEncode(message.parameters);

But this will make my secrets visible.

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In the OAuth model, there are three parties: the server or “resource manager,” the app or “client”, and the user or “resource owner”.

    In your case, the “client” is the web app, the thing you are building. The resource manager is twitter, and the user is the resource owner. Maybe it bears repeating: the resource that is owned and managed is the tweet stream.

    OAuth allows the client to submit requests to the resource manager on behalf of the resource owner. Translated to your scenario, that means your app (web app) can submit tweets on behalf of the user.

    The web app model and its distributed computational model, with some code running on the server (PHP, Ruby, ASPNET, or whatever it is) and some code running on the client (Javascript) sort of confuses the issue a little.

    As you point out, you can “do” oauth by embedding the key and secret in JS code. You rightly point out that this exposes stuff you don’t want to expose.

    The obvious alternative is to embed that stuff into the server-side code. This requires that the connection to twitter occur between the server and twitter, not between the browser and twitter.
    When the user wants to tweet, use an ajax call from the browser to a piece of code on your server, let’s call it mytweet.php. This is a script you write, which then does the OAuth dance and sends a status update to twitter.com on behalf of the user.

    ya follow?

    • 0