A number of objections have already been raised along these lines, e.g. 
http://blog.atebits.com/2009/02/fixing-oauth/

Time will tell as to how Twitter will respond.

Meanwhile: you can (in fact you MUST) store the OAuth access token you receive 
from Twitter so your users won't have to log in again.

However, the Twitter docs are somewhat vague about how long the token will last:

http://apiwiki.twitter.com/OAuth-FAQ#Howlongdoesanaccesstokenlast

"We do not currently expire access tokens." (emphasis mine)

Makes it sound like tokens may some day expire, which users will no doubt find 
annoying.

Good luck!




________________________________
From: spud <ahs...@gmail.com>
To: Twitter Development Talk <twitter-development-talk@googlegroups.com>
Sent: Monday, June 15, 2009 1:26:41 PM
Subject: [twitter-dev] OAuth and a CMS module for Twitter


I'm authoring a module-based CMS, and started creating a very
rudimentary Twitter module. The CMS implements a website owned by a
single administrator (or organization), and I am only concerned with
the Twitter account for that administrator.

Right now, the only goal of the module is to:
1. Display the last N status updates from the admin's Twitter account.
2. Allow the admin to post a status update from their CMS-run backend.

These features are quite easy to implement with the REST API and old-
school basic HTTP authentication. But, being the forward-looking type
in general, I read up on OAuth, since I expect this to be the future
of the API.

The theory behind OAuth is sound, and it looks like a great solution
for allowing access to account privileges without divulging a username
and password. However, in the case of my CMS, I am _NOT_ concerned
with limiting access -- the administrator owns the website, so it is
implicitly trusted. I have no inherent problem with storing the
Twitter account username and password in the CMS, protected in the
same manner as any other configuration settings for the CMS.

To extend the "valet key" analogy, imagine that the CMS is not a
valet, but your spouse. He or she would be repeatedly annoyed, at the
very least, if you kept handing off only the valet key rather than the
all-access pass.

I mean, if posting a status update from your CMS requires logging into
Twitter for OAuth credentials, then why not simply go to twitter.com
and post your status update there? In that case, your browser would
likely have a cookie that obviates the need for a login at all. Unless
I've misunderstood OAuth (which is entirely possible), it doesn't seem
like there's any way for a CMS to retain the same sort of "cookie" to
preserve the auth credentials, or is there?

So I'm sticking with Basic Authentication for now, but if there's some
OAuth-friendly way to accomplish the same task, I'm all ears...

spud.

Reply via email to