A number of objections have already been raised along these lines, e.g. http://blog.atebits.com/2009/02/fixing-oauth/
Time will tell as to how Twitter will respond. Meanwhile: you can (in fact you MUST) store the OAuth access token you receive from Twitter so your users won't have to log in again. However, the Twitter docs are somewhat vague about how long the token will last: http://apiwiki.twitter.com/OAuth-FAQ#Howlongdoesanaccesstokenlast "We do not currently expire access tokens." (emphasis mine) Makes it sound like tokens may some day expire, which users will no doubt find annoying. Good luck! ________________________________ From: spud <ahs...@gmail.com> To: Twitter Development Talk <twitter-development-talk@googlegroups.com> Sent: Monday, June 15, 2009 1:26:41 PM Subject: [twitter-dev] OAuth and a CMS module for Twitter I'm authoring a module-based CMS, and started creating a very rudimentary Twitter module. The CMS implements a website owned by a single administrator (or organization), and I am only concerned with the Twitter account for that administrator. Right now, the only goal of the module is to: 1. Display the last N status updates from the admin's Twitter account. 2. Allow the admin to post a status update from their CMS-run backend. These features are quite easy to implement with the REST API and old- school basic HTTP authentication. But, being the forward-looking type in general, I read up on OAuth, since I expect this to be the future of the API. The theory behind OAuth is sound, and it looks like a great solution for allowing access to account privileges without divulging a username and password. However, in the case of my CMS, I am _NOT_ concerned with limiting access -- the administrator owns the website, so it is implicitly trusted. I have no inherent problem with storing the Twitter account username and password in the CMS, protected in the same manner as any other configuration settings for the CMS. To extend the "valet key" analogy, imagine that the CMS is not a valet, but your spouse. He or she would be repeatedly annoyed, at the very least, if you kept handing off only the valet key rather than the all-access pass. I mean, if posting a status update from your CMS requires logging into Twitter for OAuth credentials, then why not simply go to twitter.com and post your status update there? In that case, your browser would likely have a cookie that obviates the need for a login at all. Unless I've misunderstood OAuth (which is entirely possible), it doesn't seem like there's any way for a CMS to retain the same sort of "cookie" to preserve the auth credentials, or is there? So I'm sticking with Basic Authentication for now, but if there's some OAuth-friendly way to accomplish the same task, I'm all ears... spud.
