As a developer who has recent launched Twaller (http:// www.twaller.com) which supports OAuth, I think I should share my perspective on this.
I really loved OAuth because: (1) Ease of coding. I could get OAuth working within a couple of days. Saves me any password maintenance, encryption etc. (2) Integration with Twitter Branding. With the OAuth scheme, I believe my website is more integrated with Twitter. It would also be nicer if Twitter would maintain their own list of websites they trust with Oauth, just to give users the added confidence that Twitter trusts me. (3) Saves me worrying about SSL. A lot of people are finicky about HTTPS/SSL. This was I can just ytell them that if Twitter wants Oauth that way in future, we will simple provide it. The part I hate about OAuth is that the OAUth page is extremely slow to load and sometimes does not load at all. I see this issue with the Twitter website in general as well, sometime postst from the web just don't go through. I would much appreciate if people at Twitter can address scalability problems to OAUTH, because that I believe is the biggest user turnoff. On Jul 28, 1:11 pm, JDG <ghil...@gmail.com> wrote: > It's only a scare if the development community neglects or refuses to > educate the populace at large that only Twitter really needs your password, > so why give it to anyone else? > > > > On Tue, Jul 28, 2009 at 13:27, jahbini <jahb...@celarien.com> wrote: > > > Sorry about your Oauth Implementation, Mine's been working steadily > > with no hiccups: Lot's of very solid implementations out there. > > > As far as the user sign-up problem, Yeah, I agree, It's a bit of a > > scare for the user to have to connect to an off-site twitter authority > > page -- But that's what Facebook, paypal and all the big boys are > > pushing toward. > > > As Robert Palmer once said: "Your gonna have to face it, your addicted > > to passwords". > > > Jim > > > On Jul 28, 1:27 am, chinaski007 <chinaski...@gmail.com> wrote: > > > Let's be honest... > > > > The end-result for third-party developers using OAuth appears to be > > > fewer sign-ups, less reliability, more complexity, and potentially > > > less security. > > > > Google Optimizer reveals that users are more likely to sign-up for > > > Basic Auth than OAuth. That's just fact. Test it for yourself to > > > confirm. > > > > I suppose this is not so weird. Users are accustomed to giving user/ > > > pass information even to "foreign" apps. It is far more disruptive > > > and invasive for them to go to some bizarre Twitter screen asking them > > > to "approve an app". To the average user, what does that mean? (And, > > > heck, it may even require more steps if they have to login again to > > > Twitter.) > > > > In terms of reliability, Twitter OAuth was down for days several weeks > > > ago. Tonight yet another unannounced change occurred that broke major > > > code libraries. Meanwhile, Basic Auth has been plugging along just > > > fine and dandy... > > > > So what IS the benefit of OAuth? > > > > It doesn't benefit developers as you will likely get more sign-ups > > > with Basic Auth and Basic Auth is far, far easier to setup. Sure, > > > OAuth might satisfy some power users hungry for security... > > > > But is OAuth even more secure than Basic Auth? > > > > Perhaps not. After all, tonight's fix was for an OAuth security flaw > > > known for at least 10+ days (judging by tweets to @twitterapi) that > > > allowed for potential impersonations of credentialed users. > > > > On the heels of Twitter's (unofficial) assurance of better > > > communication with developers, this sort of unannounced change is > > > distressing. What's next? (Have Labor Day Weekend plans? You might > > > want to cancel those... just the right time for Twitter to make an > > > unannounced API change!) > > > > As for us, we are in the strange position of deprecating OAuth in > > > favor of Basic Auth. > > > > Weird, eh?? > > > > Okay, we are not totally deprecating OAuth, but we are advising users > > > that Basic Auth is far more robust and reliable. > > > > And so our message to new developers: avoid OAuth like the plague. If > > > you must, offer it. But let Basic Auth be your backbone: more > > > reliable, more sign-ups, simpler, and probably just as secure. (Just > > > look at Google Code bug reports about OAuth to get a sense of > > > reliablity.) > > > > (Okay, okay, this post was written at 4am after a workday that started > > > at 8am, and after Twitter introduced this new change at 5pm... (hey > > > Twitter, can you introduce major new changes EARLIER in the day so we > > > can react!?!?)... it still doesn't excuse Twitter's continued > > > disregard for the small-to-medium size developer.) > > -- > Internets. Serious business.