Can't delete my oauth app in my developer account !!!

hhassanzadeh3
Hey Guys,
I realized that my oauth 1.0 consumer credentials where stored somewhere and I have to revoke (preferably) delete the previous app. I can't believe it that Zotero does not have any way to do those!!!! What should I do?
  • fcheslack
    This is not something to panic over. You've already renamed the application and removed the callback. Using those credentials is harder and no more useful than anyone just creating their own new application.

    We'll provide a way for the owner to revoke an application so it can't be used anymore though.

    Oauth generally just creates a standard way to authorize and exchange a key so that applications do not ask for user passwords and can offload more pieces to standard libraries rather than implementing the entire thing for every service they want to interact with. The application credentials do not provide special access to anything.
  • hhassanzadeh3
    Thanks for that, but even without callback, can't they generate the oauth token and oauth token secret and then simply use it in a browser using the app (eg, app://call-back?oauth_token=...&oauth_token_secret=... and that way they can authorize.
  • fcheslack
    edited January 18, 2024
    They can ask a user to create a key for them, just like anyone can by creating their own oauth app.
    They can't unilaterally do anything with it.
    This standard was designed for applications that had no expectation of being able to strongly secure their keys. The only problem would be if we needed to block it for abuse and you were caught up in the block, but that's not an issue if you're not longer using it.
  • hhassanzadeh3
    I see, thanks, so in summary, as long as the callback is removed there is no concern?
    Thank you
Sign In or Register to comment.