Response inline. On Wed, Apr 14, 2010 at 7:07 AM, Raffi Krikorian <ra...@twitter.com> wrote:
> again - overly dramatic. > > everything i said above still stands - it provides transparency into the > traffic that applications generate (potentially audit trails for users, > better ways to squelch spammy apps, etc.), as well as provides some security > in that user's passwords are not being sent in the clear. > > you can easily look for other examples of people using oauth for similar > situations - google is using oauth to allow applications access to mail, > etc. > For what it's worth: Speaking as a Googler, and as someone who is interested in user's safety and security overall, I'm thrilled to see the industry trend toward deprecation of stored credentials in favor of delegated authorization mechanisms. So thank you — on behalf of the industry — to Twitter for doing this. It's difficult/impossible to ensure the long-term safety and security of stored passwords required for standard basic auth, and it is similarly impossible to know for sure that a desktop application is either a) really a desktop application or b) really secure. A delegated authorization flow has the advantage in that it can be scoped to grant only specific narrow permissions (read twitter messages, read a calendar, check your email), but not others (delete your account, charge your credit card, read your web history, etc). Plus, authorization tokens can be revoked on a per-application basis on the server side if a third-party application goes rogue or is compromised in the future (or set to automatically expire). None of those things are easily possible with the traditional "master key" approach of stored passwords. While there are several evolving ways to get there — and I don't think we've collectively quite figured it all out yet (Raffi's post thinking about trust models for xauth is right on) — the general message of deprecating usernames and passwords in third-party apps is the right one for all of us, so I still applaud Twitter for taking a stand here, and expect and hope many others will follow. -DeWitt > > So basically you are saying Twitter wants a chokehold to block apps they >> don’t like which you don’t currently have with basic auth. >> >> Considering your recent purchase of a twitter client is that really a >> message you want to be spreading at the moment? >> >> How about leaving it up to end users to make the decision about which >> clients they do and don’t use to access twitter. Restricting all clients to >> oauth only is hardly going to give developers warm and fuzzy feelings that >> with a single keystroke a client can be banned instantly across the entire >> ecosystem. >> >> >> >> Or am I missing something? >> >> >> >> >> >> >> >> >> >> Cheers, >> >> Dean >> >> >> ------------------------------ >> >> *From:* twitter-development-talk@googlegroups.com [mailto: >> twitter-development-t...@googlegroups.com] *On Behalf Of *Raffi Krikorian >> *Sent:* Wednesday, April 14, 2010 8:59 AM >> *To:* twitter-development-talk@googlegroups.com >> *Subject:* Re: [twitter-dev] Re: Basic Auth Deprecation >> >> >> >> in my ideal world, nobody would have access to a user's password except >> twitter.com -- oauth provides a framework so end applications are not >> storing the actual password. people are notoriously bad with using the same >> password on lots of different sites. additionally, oauth provides twitter >> better visibility into the traffic coming into our system, so we can better >> shape traffic needs, we can provide auditing back to users on which >> applications are doing what actions on their behalf, etc. >> >> >> >> On Wed, Apr 14, 2010 at 5:39 AM, Dean 'at' Cognation dot Net < >> d...@cognation.net> wrote: >> >> But why is oauth better than basic for a desktop client? >> >> i understand it for the webapps but on a desktop client whats the >> point? >> >> Basically you are saying the desktop end user cant be trusted? Sorry >> but that doesn't make any sense. >> >> >> >> Please explain. >> >> >> Cheers, >> Dean >> >> >> >> On Apr 14, 1:15 am, Taylor Singletary <taylorsinglet...@twitter.com> >> wrote: >> >> > Basic auto being turned off means just that.. >> > >> > Desktop clients can implement xAuth as an alternative, where you do a >> > one-time exchange of login and password for an OAuth access token and >> > continue from there signing your requests and doing things in the >> > OAuth way. You'd no longer, as a best practice and one that I would >> > stress in the upmost even on a desktop client, store the login and >> > password beyond the xAuth access token negotiation step. If the token >> > were revoked you would then query for the login and password again and >> > so on and so on and also and also. >> > >> > Obtaining permission to use xAuth for desktop clients is as easy as >> >> > sending a well-identified and verbose note to a...@twitter.com. >> >> > >> > Basic auth had a good run. It's nearly time to say goodnight. >> > >> > Taylor >> > >> > >> > >> > >> > >> >> > On Tuesday, April 13, 2010, Dean Collins <d...@cognation.net> wrote: >> > > Just so I understand this, applications running on the desktop will >> still work correct? Basic functionality is only being turned off for web >> apps correct? It's not like desktop apps will have to start using oauth. >> > >> > > Cheers, >> > >> > > Dean >> > >> > > -----Original Message----- >> > > From: twitter-development-talk@googlegroups.com [mailto: >> twitter-development-t...@googlegroups.com] On Behalf Of Dewald Pretorius >> > > Sent: Tuesday, April 13, 2010 7:31 PM >> > > To: Twitter Development Talk >> > > Subject: [twitter-dev] Re: Basic Auth Deprecation >> > >> > > Could you please announce the hard turn off date somewhere on one of >> > > your Twitter blogs about a month ahead of time, so that we all have an >> > > official source to point our users to when we explain to them why >> > > we're converting everything over to OAuth? >> > >> > > On Apr 13, 8:19 pm, Raffi Krikorian <ra...@twitter.com> wrote: >> > >> we have announced deprecation, and will hard turn off basic >> authentication >> > >> in june. the exact date has not been set, but i presume it will be >> later in >> > >> the month. >> > >> > >> Is Basic Auth going to be deprecated (as in hard switched-off) in >> > >> > >> > June, or are you in June going to announce depracation, with the >> hard >> > >> > switch-off then coming a few months later? >> > >> > >> -- >> > >> Raffi Krikorian >> > >> Twitter Platform Teamhttp://twitter.com/raffi >> > >> > > -- >> > > To unsubscribe, reply using "remove me" as the subject. >> > >> > -- >> > Taylor Singletary >> >> > Developer Advocate, Twitterhttp://twitter.com/episod- Hide quoted text >> - >> > >> > - Show quoted text - >> >> >> >> >> -- >> Raffi Krikorian >> Twitter Platform Team >> http://twitter.com/raffi >> > > > > -- > Raffi Krikorian > Twitter Platform Team > http://twitter.com/raffi >
