Yes, we need a solution for shipping desktop and open source apps. But indeed, new apps should definitely look towards OAuth.
On Tue, Feb 17, 2009 at 13:51, Aral Balkan <aralbal...@gmail.com> wrote: > > Hey Alex, > > Another thing I was thinking about was specifically for AIR-based apps > (and I guess, to a larger degree, any desktop app) with regards to the > consumer secret. > > If that's included in the desktop app, especially in a SWF for AIR > apps, it's basically open to the world. So another app could use the > consumer secret. > > Based on your response, I'm assuming that any new desktop client > should implement oAuth as the only means of auth since the switch will > definitely happen at some point. > > Thanks, > Aral > > On Feb 17, 8:46 pm, Alex Payne <a...@twitter.com> wrote: >> Eventually, once we've got user experience solutions that work for the >> 80% case, we'll be moving off of Basic Auth entirely. But not before >> desktop app developers are happy. It's going to take some >> experimenting, but I'm sure that we can find some good solutions >> between the smart folks in this community and those in the greater >> OAuth/web standards community. >> >> OAuth doesn't prevent evil folks from shipping Twitter apps that might >> be trojans, but it does allow us here at the Mother Ship to revoke >> their ability to talk to the Twitter API. That means less spam/"SEO" >> tools, and a short time-to-live for applications that are discovered >> to be malicious. > <snip> > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
