I want to develope a Twitter client for Chrome. I have seen JS files of existing twitter extensions for Chrome. And found their consumer key and secrets are exposed. I believe It’s not the way that it should be.
I want to share my opinion that is server side. That user need to signup on my website. Have oAuth on that web. I will save their access tokens. And when they install my Chrome extension. I will ask them to login. And every time when they will tweet, I will fetch their access tokens online and made their tweet possible.
In this way, my keys will remain hidden. I don’t want to use Chrome OAuth.
Do you think my server side implementation of OAuth is better than JS implementaion?
I think not sharing this data is in general a better idea, however it is harder to do in a Chrome Extension since it is more Front-End Development (unless you want to maintain your own server for the extension…). I don’t think there is too much risk in exposing your OAuth credentials. If they are used maliciously to attack Twitter, Twitter will block the access and you can just apply for new keys. Your users keys will be safely stored on their own machine so users data will be okay. If you are looking for a easy way to implement the OAuth2 protocol in an extension, here is a utility I created just for that.
https://github.com/jjNford/oauth2-chrome-extension
I use this implementation my self in this extension.