On Fri, Aug 23, 2013 at 7:38 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly
having
to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
Seems very complex for users, so I won't go that way for WPCleaner. Is it possible to use only one client, with the secret key included in the distribution ? (A user with enough determination will be able to extract it) This would mean that there's not 100% certainty about the client being the true one. But, the attacker would only be able to impersonate the application, not the user.
Unfortunately, no. This is one of the subtleties of OAuth 1. Since we don't require HTTPS for getting the user token, or using a user token, it's possible to impersonate a user by compromising the consumer's secret key if the attacker has also been able to sniff traffic generated by that consumer also.
It does sound like the current iteration of the extension may not be the best fit. But it's good to know about these use cases, so we can set priorities for future development.