在将与/作为源代码一起分发的插件(例如访问 Delicious 或 Twitter 的 Wordpress 插件)中处理 OAuth 的消费者密钥的最佳方法是什么?我知道OAuth 的设计并没有考虑到这一点,并且有解决它的建议,但目前最好的做法是什么?
对此似乎有两种方法:
是否有任何提供商可以帮助您自动化第二步?这样您的服务器就可以联系提供商并生成一个新的消费者秘密,它以某种方式链接到您的应用程序,但仍然是唯一的?还是有其他可行的方法?
A third option is to host a web application that acts as a proxy to whatever OAuth service you are using. All of your API keys stay under your control on your server. The downside is that you need to spend money to keep a machine running. As a bonus you can collect some analytics on the usage of your plugin.
Option two is possible if you think your users will be technical enough to generate their own API keys. I've implemented this method and it's a pain to support.
I don't recommend the first approach as people could steal your OAuth key and pretend to be your application. Once your API key is in the wild, the service will block your API key and your plugin will stop working. Then you'll scramble to try and upgrade a bunch of code that you don't have control of anymore.