Twitter permission change hurts third-party mobile apps [21May11] - 0 views
-
Twitter is updating its authentication system to give users more control over how third-party applications can access their accounts. Applications will now have to explicitly request additional permission from the user during the authentication process in order to send and receive direct messages on behalf of the user. At first glance, the change seems like a welcome improvement to the Twitter APIs. Support for granular permission tiers is one of the technical advantages of authority delegation systems like OAuth
-
Twitter's approach to implementing the feature comes with some serious problems for third-party client implementors
-
The OAuth standard was originally intended to enable server-to-server authentication for limited third-party access to non-public APIs. It is poorly suited for open APIs with an arbitrary number of independent third-party applications. More significantly, it doesn't address the needs of desktop and mobile authentication at all. Despite the significant limitations of the standard, it is being adopted and mandated by a number of social networking services, including Twitter.
- ...2 more annotations...
-
OAuth authentication process must be carried out in a Web browser and involves a series of redirects: a third-party site sends the user to the Twitter website to log in and approve access and then Twitter redirects the user back to the initiating third-party site and appends a token that the third-party site can extract and use to identify the user to Twitter. The advantage of this system is that the third-party site never gets the user's actual password, just a revokeble token
-
The obvious problem with this system is that the redirect dance doesn't work for native non-web applications.