So I generated keys for my application via twitter (apps.twitter.com). But I’m confused as to where to store them? I intend that the application be a command line twitter client. As such the user will download and run it. Does that mean the consumer_key and consumer_secret must be distributed with the application source code?
Whomever runs your application does need his own set of keys, tokens and secrets. In the case of your example code they need to be available as system environment variables but of course you can make them configurable how ever you like.
Surely there must be another way to do this? Users of the application
shouldn’t need to login to twitter to generate consumer keys for the
initial run of the program. I had a quick look at rainbowstream, a command
line client written in python, and it didn’t require me to create consumer
keys. For example the process for me refering to ( http://oauthbible.com/#oauth-10a-three-legged ) was 2 and 3 for the initial
run when I didn’t have any access tokens and then 3 for everytime else,
because it saves the access tokens in a file in my home dir.
