Is there a reason why the OAuth URL in the api wiki could not be HTTPS
by default? Why would you want to recommend HTTP over HTTPS? (I know
that OAuth was designed to be safe over HTTP, immune against man-in-
the-middle and all, but HTTPS just gives me a warm and fuzzy feel. ;)
rgds,
Jaanus
On
Jaanus wrote:
Is there a reason why the OAuth URL in the api wiki could not be HTTPS
by default? Why would you want to recommend HTTP over HTTPS? (I know
that OAuth was designed to be safe over HTTP, immune against man-in-
the-middle and all, but HTTPS just gives me a warm and fuzzy feel. ;)
I
Good point.
I'll considering encouraging it by default by presenting it that way. I
certainly prefer it over https.
A gating issue are design choices in many OAuth libraries where a base URL
is utilized for both authorization steps and resource requests. If the base
URL is https, then that
The one other thing you might want to do is to update the interface on
http://twitter.com/oauth, which is where you configure your OAuth
apps. This returns you the URLs to use, which are now different from
what the wiki says. twitter.com/oauth should also return the correct
updated urls.
On Mar
I'm surprised by this.
Honestly, I think Twitter should not be allowing authenticated
requests -- whether via signature or Basic Auth -- to happen over non-
encrypted connections. Verifying the authenticity of the server is
important, as a fair bit of trust is put in the data clients get back
