[twitter-dev] Re: Which services use twitter username and password as account identifier
Hi Paul, I have developed a social search engine ExploreWWW and would like to encourgae twitter user to submit their website to ExploreWWW and it will be unploaded in twitter with their account. I have been using twitter account to do that. Now I am not sure how to consolidate user authentication on our server and twitter server with the implementation of oAuth. I am really happy that you have come forward to raise this issue. I will also like to gain access to your solution for oAuth implementation. On Sun, Mar 1, 2009 at 9:19 AM, Paul Kinlan paul.kin...@gmail.com wrote: Hi, I am still concerned that the introduction of oAuth is going to cause a lot of problems for applications that use twitter username and password as a login and account registration mechanism for their services. I would like to start a list of the services that primariraly use twitter details as a form of login to their services. Starting with: Twe2 (although we do support oauth right now) Twollo What I am keen to also get accross is that if we have to introduce a new username and password mechanism for our services I bet that 80% of users will still use the same password as their twitter account, negating the use of oauth. If anyone wants I can provide you with a secret link for twe2's oauth implementation to show you what we are doing (no username and password - but re-requesting access to your data if you need to login). I look forward to hearing back and seeing a list of all the services in the ecosystem that use twitter credentials as account authentication and validation so that it is clear the how prevelant the problem will be. Regards, Paul -- Sincerely, Burhan Tanweer www.explorewww.com expl...@explorewww.com
[twitter-dev] Re: Which services use twitter username and password as account identifier
Or, do both. Allow them to login via OAuth, and then let them create an account later to avoid future round-trips (or to associate multiple twitter accounts) This is what http://feedflix.com does with the Netflix OAuth API. On Mar 1, 6:18 pm, Paul Kinlan paul.kin...@gmail.com wrote: Hi Sam, I think most things other than a basic username and password will confuse most people, which is why asking for their twitter username and password is done (rightly or wrongly) because people know it, use it all the time on twitter and don't have to remember yet another password. I will give JainRains solution a look over. Trouble is, it looks two phase, log-in via openId/facebook/etc then hook up your twitter account (using oAuth); obviously once you have set up your twitter account your only ever have to log in using the JainRain stuff. I do like using the twitter account and password (like many app developers) because its central, you can verifiy the details and let people use your service in one simple step and you don't need another external sevice to authenticate against. I just worry that using external services will limit who uses Twitter apps, and I also worry that managing the credentials myself will negate all the benefits that oAuth provides (because most people will use the same password as their twitter password). Onhttp://oauth.twe2.comyou only ever type anything when you are redirected to Twitters site, twe2 doesn't ask for anything ever. In my opinon it is the cleanest thing from a UX point of view, however, it's not (from what I have been told) how your supposed to use oAuth. Paul. 2009/3/1 Sam K Sethi samkse...@googlemail.com Hi Paul As you know we already have a working version of Twitters OAuth on a test sitehttp://ouath.twitblogs.comand will integrate into our live site when twitter let us. The way we are looking to overcome the user login issue is to use JainRain'swww.rpxnow.comand associate a users ID to their OAuth token. Our worry is will this all confuse non-technical users Thanks in advance Sam www.twitblogs.com/ This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private 2009/3/1 Dossy Shiobara do...@panoptic.com On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com |http://dossy.org/ Panoptic Computer Network |http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Say I'm twitpic, does OAuth mean a user is going to have to make that awkward round trip to sign up? And does recurring login mean apps are going to have to store credentials? I'm just curious. On Mar 1, 2009, at 6:19 AM, Paul Kinlan paul.kin...@gmail.com wrote: Hi, I am still concerned that the introduction of oAuth is going to cause a lot of problems for applications that use twitter username and password as a login and account registration mechanism for their services. I would like to start a list of the services that primariraly use twitter details as a form of login to their services. Starting with: Twe2 (although we do support oauth right now) Twollo What I am keen to also get accross is that if we have to introduce a new username and password mechanism for our services I bet that 80% of users will still use the same password as their twitter account, negating the use of oauth. If anyone wants I can provide you with a secret link for twe2's oauth implementation to show you what we are doing (no username and password - but re-requesting access to your data if you need to login). I look forward to hearing back and seeing a list of all the services in the ecosystem that use twitter credentials as account authentication and validation so that it is clear the how prevelant the problem will be. Regards, Paul
[twitter-dev] Re: Which services use twitter username and password as account identifier
Hi, With oauth you have to make the round trip but I think it works quite well. What I don't think is going to work well is we will all need to develop an account managment system with new passwords etc and also prompt existing user to now assign a password to their account (which will probably be their twitter password, because users will think we are asking for that.) The twe2 way of doing it is to ask you to use the oauth acceptance process, I.e the part where twitter takes you credentials and you as the user allow twe2 to access your data as the new sign-in process; to login. However, Alex mentioned that is not the use-case for oauth so using it that way may cause problems; it works pretty well though. Paul On 1 Mar 2009, at 17:29, Petermdenton petermden...@gmail.com wrote: Say I'm twitpic, does OAuth mean a user is going to have to make that awkward round trip to sign up? And does recurring login mean apps are going to have to store credentials? I'm just curious. On Mar 1, 2009, at 6:19 AM, Paul Kinlan paul.kin...@gmail.com wrote: Hi, I am still concerned that the introduction of oAuth is going to cause a lot of problems for applications that use twitter username and password as a login and account registration mechanism for their services. I would like to start a list of the services that primariraly use twitter details as a form of login to their services. Starting with: Twe2 (although we do support oauth right now) Twollo What I am keen to also get accross is that if we have to introduce a new username and password mechanism for our services I bet that 80% of users will still use the same password as their twitter account, negating the use of oauth. If anyone wants I can provide you with a secret link for twe2's oauth implementation to show you what we are doing (no username and password - but re-requesting access to your data if you need to login). I look forward to hearing back and seeing a list of all the services in the ecosystem that use twitter credentials as account authentication and validation so that it is clear the how prevelant the problem will be. Regards, Paul
[twitter-dev] Re: Which services use twitter username and password as account identifier
On 3/1/09 9:19 AM, Paul Kinlan wrote: I look forward to hearing back and seeing a list of all the services in the ecosystem that use twitter credentials as account authentication and validation so that it is clear the how prevelant the problem will be. It should be a non-problem. Application developers will simply need to implement, in their application, a way for Twitter users to link their current account to their Twitter account through OAuth. The sky, indeed, is not falling. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss Sent from my iPhone On Mar 1, 2009, at 10:19 AM, Dossy Shiobara do...@panoptic.com wrote: On 3/1/09 9:19 AM, Paul Kinlan wrote: I look forward to hearing back and seeing a list of all the services in the ecosystem that use twitter credentials as account authentication and validation so that it is clear the how prevelant the problem will be. It should be a non-problem. Application developers will simply need to implement, in their application, a way for Twitter users to link their current account to their Twitter account through OAuth. The sky, indeed, is not falling. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
This is an issue that concerns me as well, so thank you, Paul, for bringing it up on this list. I do not consider if FUD. This is something that at least a few of us would like to discuss. If it doesn't pertain to you, then fine. My example would be TweetGrid. Right now, it is entirely a drive-by site, meaning that anyone can use it w/o having to sign-in to the site itself and there is no need to create an account or have any notion of a session. People can search at will. If they want to actually interact with twitter, then (for now, until the official oauth switch) they enter their username and password for whatever account they'd like to use for the interaction and all is well. This is especially nice for people with multiple accounts since there is no session on tweetgrid, each twitter interaction is handled as a separate event/action, so you can change your active account at any time trivially by just retyping your user/pass in the appropriate boxes. With OAuth I see this changing quite a bit. Each twitter account that wants to interact with twitter through TweetGrid would need to make the loop through twitter. So, if someone wants to use 4 or 5 accounts at once they'd make 4 or 5 authentication trips to twitter and back. Imagine having to do that every time you come to use TweetGrid. I imagine this being a UX nightmare unless I implement some sort of user logon/session system which stores oauth keys for authenticated accounts, etc. Then it is no longer a fully drive-by service, and now I have to bring a login system/database into the equation. Please Note: This is not me complaining... this is me thinking outloud for the benefit of myself and Paul, who originally posed the question. Responses telling me to man up and just deal with it will be promptly forwarded to /dev/null. I have been thinking for a while about how to solve this UX situation and how to create something that won't alienate users by making them create Yet Another Website Account (tm) and jumping through some hoops to get there. Anyway, those are my current thoughts. I, too, would be interested to hear how sites/applications that currently don't use a login system are planning on dealing with the oauth change. -Chad On Sun, Mar 1, 2009 at 1:34 PM, Dossy Shiobara do...@panoptic.com wrote: On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Thanks Chad, that is what I am trying to get across, we will definitely need to drastically alter our workflows. I am definitely not trying to spread FUD, the problem is there is definitely uncertainty about the process as a whole which I would like us all to talk about and ways to work with (around) it. The main problems I have, like a lot of other people is that we developed our apps using twitter as the authentication mechanism. It is very very hard for us to now ask for our users to give us yet another password. I personally never want to deal with managing users usernames and passwords. The perception is that oAuth will solve all authentication problems. I have had this, where people won't use twe2 or twollo because we ask for your password, and I generally agree with the sentiment - although the figure is probably about 7 people in total. Now we have to ask every user for a new password, and my gut feeling is that 90% of twitter users will not really understand what oAuth is for (this doesn't mean we shouldn't have it) and when we ask for a password I guarantee that most will use the same password that they do for twitter, thus potentially negating everything oAuth is meant for; or they will no longer decide to use the services. To see the workflow of oAuth on twe2 you can visit http://oauth.twe2.com(please note, that like twitter oAuth, this is beta at the moment - also note, the site isn't inline with the main site so it may not function as expected). So anyway, this is a place where we can list our apps that we have created that use Twitter as the authentication method and try and work out a decent solution together. Thanks. Paul. 2009/3/1 Chad Etzel jazzyc...@gmail.com This is an issue that concerns me as well, so thank you, Paul, for bringing it up on this list. I do not consider if FUD. This is something that at least a few of us would like to discuss. If it doesn't pertain to you, then fine. My example would be TweetGrid. Right now, it is entirely a drive-by site, meaning that anyone can use it w/o having to sign-in to the site itself and there is no need to create an account or have any notion of a session. People can search at will. If they want to actually interact with twitter, then (for now, until the official oauth switch) they enter their username and password for whatever account they'd like to use for the interaction and all is well. This is especially nice for people with multiple accounts since there is no session on tweetgrid, each twitter interaction is handled as a separate event/action, so you can change your active account at any time trivially by just retyping your user/pass in the appropriate boxes. With OAuth I see this changing quite a bit. Each twitter account that wants to interact with twitter through TweetGrid would need to make the loop through twitter. So, if someone wants to use 4 or 5 accounts at once they'd make 4 or 5 authentication trips to twitter and back. Imagine having to do that every time you come to use TweetGrid. I imagine this being a UX nightmare unless I implement some sort of user logon/session system which stores oauth keys for authenticated accounts, etc. Then it is no longer a fully drive-by service, and now I have to bring a login system/database into the equation. Please Note: This is not me complaining... this is me thinking outloud for the benefit of myself and Paul, who originally posed the question. Responses telling me to man up and just deal with it will be promptly forwarded to /dev/null. I have been thinking for a while about how to solve this UX situation and how to create something that won't alienate users by making them create Yet Another Website Account (tm) and jumping through some hoops to get there. Anyway, those are my current thoughts. I, too, would be interested to hear how sites/applications that currently don't use a login system are planning on dealing with the oauth change. -Chad On Sun, Mar 1, 2009 at 1:34 PM, Dossy Shiobara do...@panoptic.com wrote: On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
On a similar note (also brought up in a different thread I think) are the so-called bot accounts that many of us run for whatever reason. Now they will have to use OAuth to post instead of basic auth through things like curl. So, as the OP of that thread suggested, we'll have to create dummy umbrella apps for the bots just to get them a token, then store the tokens in the scripts running them I suppose. Alas, @sockington will be subjected to the oauth cat/mouse game as well. more thinking out loud... -Chad On Sun, Mar 1, 2009 at 2:57 PM, Paul Kinlan paul.kin...@gmail.com wrote: Thanks Chad, that is what I am trying to get across, we will definitely need to drastically alter our workflows. I am definitely not trying to spread FUD, the problem is there is definitely uncertainty about the process as a whole which I would like us all to talk about and ways to work with (around) it. The main problems I have, like a lot of other people is that we developed our apps using twitter as the authentication mechanism. It is very very hard for us to now ask for our users to give us yet another password. I personally never want to deal with managing users usernames and passwords. The perception is that oAuth will solve all authentication problems. I have had this, where people won't use twe2 or twollo because we ask for your password, and I generally agree with the sentiment - although the figure is probably about 7 people in total. Now we have to ask every user for a new password, and my gut feeling is that 90% of twitter users will not really understand what oAuth is for (this doesn't mean we shouldn't have it) and when we ask for a password I guarantee that most will use the same password that they do for twitter, thus potentially negating everything oAuth is meant for; or they will no longer decide to use the services. To see the workflow of oAuth on twe2 you can visit http://oauth.twe2.com (please note, that like twitter oAuth, this is beta at the moment - also note, the site isn't inline with the main site so it may not function as expected). So anyway, this is a place where we can list our apps that we have created that use Twitter as the authentication method and try and work out a decent solution together. Thanks. Paul. 2009/3/1 Chad Etzel jazzyc...@gmail.com This is an issue that concerns me as well, so thank you, Paul, for bringing it up on this list. I do not consider if FUD. This is something that at least a few of us would like to discuss. If it doesn't pertain to you, then fine. My example would be TweetGrid. Right now, it is entirely a drive-by site, meaning that anyone can use it w/o having to sign-in to the site itself and there is no need to create an account or have any notion of a session. People can search at will. If they want to actually interact with twitter, then (for now, until the official oauth switch) they enter their username and password for whatever account they'd like to use for the interaction and all is well. This is especially nice for people with multiple accounts since there is no session on tweetgrid, each twitter interaction is handled as a separate event/action, so you can change your active account at any time trivially by just retyping your user/pass in the appropriate boxes. With OAuth I see this changing quite a bit. Each twitter account that wants to interact with twitter through TweetGrid would need to make the loop through twitter. So, if someone wants to use 4 or 5 accounts at once they'd make 4 or 5 authentication trips to twitter and back. Imagine having to do that every time you come to use TweetGrid. I imagine this being a UX nightmare unless I implement some sort of user logon/session system which stores oauth keys for authenticated accounts, etc. Then it is no longer a fully drive-by service, and now I have to bring a login system/database into the equation. Please Note: This is not me complaining... this is me thinking outloud for the benefit of myself and Paul, who originally posed the question. Responses telling me to man up and just deal with it will be promptly forwarded to /dev/null. I have been thinking for a while about how to solve this UX situation and how to create something that won't alienate users by making them create Yet Another Website Account (tm) and jumping through some hoops to get there. Anyway, those are my current thoughts. I, too, would be interested to hear how sites/applications that currently don't use a login system are planning on dealing with the oauth change. -Chad On Sun, Mar 1, 2009 at 1:34 PM, Dossy Shiobara do...@panoptic.com wrote: On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD.
[twitter-dev] Re: Which services use twitter username and password as account identifier
On Sun, Mar 1, 2009 at 11:57 AM, Paul Kinlan paul.kin...@gmail.com wrote: Thanks Chad, that is what I am trying to get across, we will definitely need to drastically alter our workflows. I am definitely not trying to spread FUD, the problem is there is definitely uncertainty about the process as a whole which I would like us all to talk about and ways to work with (around) it. Seem to me that the mindset required is to think of yourself as creating something that isn't just a new front end for Twitter, but a site that has other value. E.g., if you're Facebook, the OAuth paradigm makes perfect sense. All the extra work only seems like trouble when you're building something whose whole purpose is to be some sort of value-added Twitter interface. Speaking of extra work... I hope that everybody is starting to store user data by Twitter ID, not by user name. I've been frustrated by losing all my preferences in TweetDeck, for example, because it apparently relies on user name, not ID. When I took an underscore out of my user name, TweetDeck no longer knew who I was. This undoubtedly will confuse users who would expect their TweetDeck user name to change when when they change their user name in Twitter. Again, this is the difference between a Twitter front end and a site that has other purposes - nobody would expect their Facebook user name to change just because they changed their Twitter user name, no matter how the accounts were linked. Nick
[twitter-dev] Re: Which services use twitter username and password as account identifier
I tend to agree, however lots of services are really only about working with Twitter, for instance I don't really want to make twollo work on any other service other than twitter. When you are linking to lots of other sites your points are perfectly valid :) One thing I have noticed is that in tweet# api the twitter id is marked as obsolete, so that is why I have not used it The thing is, if you use the twitter id, you need to always call twitter again when someone logs in to your site because you need to work out the twitter id. Paul. 2009/3/1 Nick Arnett nick.arn...@gmail.com On Sun, Mar 1, 2009 at 11:57 AM, Paul Kinlan paul.kin...@gmail.comwrote: Thanks Chad, that is what I am trying to get across, we will definitely need to drastically alter our workflows. I am definitely not trying to spread FUD, the problem is there is definitely uncertainty about the process as a whole which I would like us all to talk about and ways to work with (around) it. Seem to me that the mindset required is to think of yourself as creating something that isn't just a new front end for Twitter, but a site that has other value. E.g., if you're Facebook, the OAuth paradigm makes perfect sense. All the extra work only seems like trouble when you're building something whose whole purpose is to be some sort of value-added Twitter interface. Speaking of extra work... I hope that everybody is starting to store user data by Twitter ID, not by user name. I've been frustrated by losing all my preferences in TweetDeck, for example, because it apparently relies on user name, not ID. When I took an underscore out of my user name, TweetDeck no longer knew who I was. This undoubtedly will confuse users who would expect their TweetDeck user name to change when when they change their user name in Twitter. Again, this is the difference between a Twitter front end and a site that has other purposes - nobody would expect their Facebook user name to change just because they changed their Twitter user name, no matter how the accounts were linked. Nick
[twitter-dev] Re: Which services use twitter username and password as account identifier
On Sun, Mar 1, 2009 at 12:18 PM, Paul Kinlan paul.kin...@gmail.com wrote: One thing I have noticed is that in tweet# api the twitter id is marked as obsolete, so that is why I have not used it The thing is, if you use the twitter id, you need to always call twitter again when someone logs in to your site because you need to work out the twitter id. Right... one more round trip if you're not storing user data. I don't follow what you wrote about Twitter ID being obsolete. Where does it say that? If it is obsolete, Twitter needs to get rid of the users' ability to change their user names. Nick
[twitter-dev] Re: Which services use twitter username and password as account identifier
On 3/1/09 2:22 PM, Chad Etzel wrote: So, if someone wants to use 4 or 5 accounts at once they'd make 4 or 5 authentication trips to twitter and back. Sure, once per OAuth token lifetime. If Twitter implements OAuth correctly, it's supposed to work like this: User Sue uses third-pary Application App. App needs to access Twitter API on behalf of Sue. App sends Sue through the OAuth flow, where Twitter authenticates Sue and confirms that Sue is granting App permission to act on her behalf. Twitter returns App an OAuth Token which it must store (more on this later) in order to make requests on Sue's behalf. App can use and reuse Token until Token's lifetime expires, at which point App must send Sue through the OAuth flow again. To ensure a reasonably sane UX for Sue, Twitter needs to permit a reasonably sane Token lifetime. _Ideally_, Twitter should allow users to select their desired lifetime (one hour, one day, one week, one year, for example), in addition to a UX flow to revoke a valid OAuth Token. Now, on the subject of storing the Token: yes, you could create your own private authentication database and associate the Token to said credentials. Alternatively, you could store the Token (optionally with symmetric key encryption) as a cookie in the user's browser. Done intelligently, the user's browser could store multiple such cookies in various chips, one for each identity they control and have authorized. Does this help? Can we stop worrying and love the bomb, now? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Dude, I think it is you who needs to chill... srsly. I love the bomb. I've wanted the bomb for a long time, a lot of us have. Having an open discussion on an interesting topic does not mean we are all running around like chickens with our heads cut off. Without this thread I may never have thought of storing the tokens in a browser cookie. So, thank you for that suggestion. Whether you meant to or not, you may have actually contributed positively to this thread :) -Chad On Sun, Mar 1, 2009 at 3:34 PM, Dossy Shiobara do...@panoptic.com wrote: On 3/1/09 2:22 PM, Chad Etzel wrote: So, if someone wants to use 4 or 5 accounts at once they'd make 4 or 5 authentication trips to twitter and back. Sure, once per OAuth token lifetime. If Twitter implements OAuth correctly, it's supposed to work like this: User Sue uses third-pary Application App. App needs to access Twitter API on behalf of Sue. App sends Sue through the OAuth flow, where Twitter authenticates Sue and confirms that Sue is granting App permission to act on her behalf. Twitter returns App an OAuth Token which it must store (more on this later) in order to make requests on Sue's behalf. App can use and reuse Token until Token's lifetime expires, at which point App must send Sue through the OAuth flow again. To ensure a reasonably sane UX for Sue, Twitter needs to permit a reasonably sane Token lifetime. _Ideally_, Twitter should allow users to select their desired lifetime (one hour, one day, one week, one year, for example), in addition to a UX flow to revoke a valid OAuth Token. Now, on the subject of storing the Token: yes, you could create your own private authentication database and associate the Token to said credentials. Alternatively, you could store the Token (optionally with symmetric key encryption) as a cookie in the user's browser. Done intelligently, the user's browser could store multiple such cookies in various chips, one for each identity they control and have authorized. Does this help? Can we stop worrying and love the bomb, now? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
On 3/1/09 3:41 PM, Chad Etzel wrote: Whether you meant to or not, you may have actually contributed positively to this thread :) I always intend to, even if it hurts. You know how people say, It can't hurt to ask? I wish it did ... :-) -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
I don't follow what you wrote about Twitter ID being obsolete. Where does it say that? If it is obsolete, Twitter needs to get rid of the users' ability to change their user names. It is the .Net Client that says that, I presuming it is a bug in that. That is why I have not used the ID but rather the username. 2009/3/1 Nick Arnett nick.arn...@gmail.com On Sun, Mar 1, 2009 at 12:18 PM, Paul Kinlan paul.kin...@gmail.comwrote: One thing I have noticed is that in tweet# api the twitter id is marked as obsolete, so that is why I have not used it The thing is, if you use the twitter id, you need to always call twitter again when someone logs in to your site because you need to work out the twitter id. Right... one more round trip if you're not storing user data. I don't follow what you wrote about Twitter ID being obsolete. Where does it say that? If it is obsolete, Twitter needs to get rid of the users' ability to change their user names. Nick
[twitter-dev] Re: Which services use twitter username and password as account identifier
I think it was one of my threads. I think it was along the lines of you can store the access key in cookie, but why you would want to publish the fact you are doing it. The thing being that the access token when used in a request is accompanied by a signature that can only be generated if the consumer secret iw known. So in theory, you could have it in a cookie (encypted like previously mentioned). The issues surronding security of keys are in the spec, which are quite interesting http://oauth.net/core/1.0/#anchor39 Paul 2009/3/1 Abraham Williams 4bra...@gmail.com Alternatively, you could store the Token (optionally with symmetric key encryption) as a cookie in the user's browser. Done intelligently, the user's browser could store multiple such cookies in various chips, one for each identity they control and have authorized. I'm pretty sure that in an older thread Alex has specifically recommended not storing OAuth access tokens in cookies. -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wisconsin United States.
[twitter-dev] Re: Which services use twitter username and password as account identifier
Hi Paul As you know we already have a working version of Twitters OAuth on a test site http://ouath.twitblogs.com and will integrate into our live site when twitter let us. The way we are looking to overcome the user login issue is to use JainRain's www.rpxnow.com and associate a users ID to their OAuth token. Our worry is will this all confuse non-technical users Thanks in advance Sam www.twitblogs.com/ This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private 2009/3/1 Dossy Shiobara do...@panoptic.com On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Hi Sam, I think most things other than a basic username and password will confuse most people, which is why asking for their twitter username and password is done (rightly or wrongly) because people know it, use it all the time on twitter and don't have to remember yet another password. I will give JainRains solution a look over. Trouble is, it looks two phase, log-in via openId/facebook/etc then hook up your twitter account (using oAuth); obviously once you have set up your twitter account your only ever have to log in using the JainRain stuff. I do like using the twitter account and password (like many app developers) because its central, you can verifiy the details and let people use your service in one simple step and you don't need another external sevice to authenticate against. I just worry that using external services will limit who uses Twitter apps, and I also worry that managing the credentials myself will negate all the benefits that oAuth provides (because most people will use the same password as their twitter password). On http://oauth.twe2.com you only ever type anything when you are redirected to Twitters site, twe2 doesn't ask for anything ever. In my opinon it is the cleanest thing from a UX point of view, however, it's not (from what I have been told) how your supposed to use oAuth. Paul. 2009/3/1 Sam K Sethi samkse...@googlemail.com Hi Paul As you know we already have a working version of Twitters OAuth on a test site http://ouath.twitblogs.com and will integrate into our live site when twitter let us. The way we are looking to overcome the user login issue is to use JainRain's www.rpxnow.com and associate a users ID to their OAuth token. Our worry is will this all confuse non-technical users Thanks in advance Sam www.twitblogs.com/ This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private 2009/3/1 Dossy Shiobara do...@panoptic.com On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
Hi I wonder if there is any value in twitter supporting the openid/oauth hybrid extension http://googledataapis.blogspot.com/2009/01/bringing-openid-and-oauth-together.html This would allow us 3rd party developers to create a login mechanism for our own sites but wrap the Authentication and Authorisation request up in one call to twitter but I guess this requires twitter to support openid. Thanks in advance Sam www.twitblogs.com/ssethi This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private Sent from: Poplar Eng United Kingdom. 2009/3/1 Paul Kinlan paul.kin...@gmail.com Hi Sam, I think most things other than a basic username and password will confuse most people, which is why asking for their twitter username and password is done (rightly or wrongly) because people know it, use it all the time on twitter and don't have to remember yet another password. I will give JainRains solution a look over. Trouble is, it looks two phase, log-in via openId/facebook/etc then hook up your twitter account (using oAuth); obviously once you have set up your twitter account your only ever have to log in using the JainRain stuff. I do like using the twitter account and password (like many app developers) because its central, you can verifiy the details and let people use your service in one simple step and you don't need another external sevice to authenticate against. I just worry that using external services will limit who uses Twitter apps, and I also worry that managing the credentials myself will negate all the benefits that oAuth provides (because most people will use the same password as their twitter password). On http://oauth.twe2.com you only ever type anything when you are redirected to Twitters site, twe2 doesn't ask for anything ever. In my opinon it is the cleanest thing from a UX point of view, however, it's not (from what I have been told) how your supposed to use oAuth. Paul. 2009/3/1 Sam K Sethi samkse...@googlemail.com Hi Paul As you know we already have a working version of Twitters OAuth on a test site http://ouath.twitblogs.com and will integrate into our live site when twitter let us. The way we are looking to overcome the user login issue is to use JainRain's www.rpxnow.com and associate a users ID to their OAuth token. Our worry is will this all confuse non-technical users Thanks in advance Sam www.twitblogs.com/ This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private 2009/3/1 Dossy Shiobara do...@panoptic.com On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Which services use twitter username and password as account identifier
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/98def90952bdab9c On Sun, Mar 1, 2009 at 17:57, Sam K Sethi samkse...@googlemail.com wrote: Hi I wonder if there is any value in twitter supporting the openid/oauth hybrid extension http://googledataapis.blogspot.com/2009/01/bringing-openid-and-oauth-together.html This would allow us 3rd party developers to create a login mechanism for our own sites but wrap the Authentication and Authorisation request up in one call to twitter but I guess this requires twitter to support openid. Thanks in advance Sam www.twitblogs.com/ssethi This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private Sent from: Poplar Eng United Kingdom. 2009/3/1 Paul Kinlan paul.kin...@gmail.com Hi Sam, I think most things other than a basic username and password will confuse most people, which is why asking for their twitter username and password is done (rightly or wrongly) because people know it, use it all the time on twitter and don't have to remember yet another password. I will give JainRains solution a look over. Trouble is, it looks two phase, log-in via openId/facebook/etc then hook up your twitter account (using oAuth); obviously once you have set up your twitter account your only ever have to log in using the JainRain stuff. I do like using the twitter account and password (like many app developers) because its central, you can verifiy the details and let people use your service in one simple step and you don't need another external sevice to authenticate against. I just worry that using external services will limit who uses Twitter apps, and I also worry that managing the credentials myself will negate all the benefits that oAuth provides (because most people will use the same password as their twitter password). On http://oauth.twe2.com you only ever type anything when you are redirected to Twitters site, twe2 doesn't ask for anything ever. In my opinon it is the cleanest thing from a UX point of view, however, it's not (from what I have been told) how your supposed to use oAuth. Paul. 2009/3/1 Sam K Sethi samkse...@googlemail.com Hi Paul As you know we already have a working version of Twitters OAuth on a test site http://ouath.twitblogs.com and will integrate into our live site when twitter let us. The way we are looking to overcome the user login issue is to use JainRain's www.rpxnow.com and associate a users ID to their OAuth token. Our worry is will this all confuse non-technical users Thanks in advance Sam www.twitblogs.com/ This email is: [ ] bloggable [ ] twittable [ ] ask first [X] private 2009/3/1 Dossy Shiobara do...@panoptic.com On 3/1/09 1:28 PM, Petermdenton wrote: Dossy, serioulsy, no one is saying the sky is falling. This list is for application developers to discuss development topics as they please. You may know everything, but for those of us who wish to discuss We need to resist spreading FUD. Twitter has its problems, but creating ones where there aren't any helps no one. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wisconsin United States.