Why an Facebook/Twitter app has to need 2 keys?
https://stackoverflow.com/questions/7738098
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing an mobile app on the iPhone. After creating an app on Facebook/Twitter, I received 2 keys:
- Facebook call them as app ID and app Secret
- Twitter call them as consumer Key and consumer Secret
When I use OAuth authorization as some tutorials on Google, my app must provide both keys to proceed. I'm confused as to why it needs 2 keys. As their names (id and secret), I guess that their roles is equal to public/private keys pair in Linux. But I must provide both 2 keys so that my app proceeds.
I want to place the secret key in my own Apache/PHP server, the secret place, not in my app's code. My app is only responsible for authorization, then my server proceed with other tasks, as posting,...
Solution 2
AppID is used for authentication, appSecrect is used for other tasks.
Consider these two documents of Facebook and Twitter about authentication for web app for more detail:
http://developers.facebook.com/docs/guides/web/#login
https://dev.twitter.com/docs/auth/oauth
Consider this flow for an implementation Facebook/Twitter app on mobile if you have an own server for the secret:
OAuth Twitter with only Consumer Key (not use Consumer Secret) on iPhone and android
OTHER TIPS
The app id and consumer key are identifiers of your app. The secret is what you share with the service provider in order to authenticate requests and such. Like a username (identifier) and password (secret).
The secret must not be shared - this is in the developer policies. Doing so would allow other to access the data of your app users which would obviously be a serious privacy breach. So you are right to plan on keeping it out of sight. Your app id is publicly available to anyone, so you can put that where you want/need.
