On Mon, 24 Aug 2009 11:14:12 -0700 (PDT) Greg <gregory.av...@gmail.com> wrote:
> When I first started programming Twitter application using OAuth - I > thought that eventually it would open up to allow Third Party API > (TwitPic, TweetPhoto) to start using OAuth tokens to authenticate. > However - its been a while since this has gain any air. Twitter got burned with early adoption and the sesion-fixation vulnerability. Not that their service gat hacked through it, but because they didn't point the finger of blame when they pulled the API. There might be quite a bit of wait and see going on because of that, because of the way SSO has faltered, and because of the general FUD that always surrounds security issues. > Is this something that would should be seeing from third-party > services in the future? Thinking about it - your tokens authenticate > you only for that specific application with the consumer key and > consumer secret - how could it be possible to authenticate you on > another service? By design, the user has to authorize each combination of Consumer and Service Provider separately. Trust me, you wouldn't want the kind of interoperability that you seem to be asking for here. It would either open up tons of man in the middle vulnerabilities or be horridly complicated to implement, which has its own risks. > If not - what's the point of OAuth? You can't integrate with other > Twitter Services without having the user sign in again. OAuth will be gaining traction as part of OpenSocial. There could very well be sites that are waiting for this or waiting for better support infrastructure. I have a game site that I'm looking to let users promote by pushing information about forming games out to as many social media outlets as I can support. Facebook is low on my list because it already has an implementation of the game I offer and, even though the implementation isn't very good, the Facebook API is too involved for me to make a run at share shifting them until I've built more share elsewhere. High on my list are sites that are using Open Social, like Avatars United, or where I only need one or two features of the API, like MeetUps. Twitter is on my list because the API is just simple and well-used enough that it would be worthwhile to write and maintain a library on my own. Seriously, though, if we're busting out of our skulls thinking how this affects us as Consumers, think about how it has to be affecting the service providers with 100's of thousands or 44.5 millions of users. Chris