Re: [twitter-dev] Re: What's the status of OAuth2 API?

[Andrew W. Donoho]

On Aug 16, 2010, at 14:39 , Taylor Singletary wrote:

> Little bit of devil's advocate for the community on this topic though:
>   - Do you think that when a user authorizes your site to use @Anywhere that 
> there is any implicit authorization that you should be able to exchange those 
> tokens for long-lasting OAuth 1.0A REST tokens without explicitly indicating 
> that you would do that?




Taylor,

I would be very careful here. Twitter could easily walk into the 
privacy nightmare that is Facebook. 

In my opinion, you should let the user experience drive login and 
permissions issues. Users want to get done what they want to get done. Extra 
logins or permissions dialogs, á la Facebook, just cloud the issue. That said, 
@Anywhere's user experience is so different from a REST app (server or client), 
that there is little user perceived overlap. Hence, there should NOT be a 
connection between the two worlds. To look at it another way, long lived tokens 
are easily abused and should not be handed out often. I doubt you want to make 
@Anywhere links become vectors for impersonation and fraud. Twitter should make 
it easy to connect with all electronic media but it shouldn't, IMO, be a 
worldwide long-lived sign-on service.



Anon,
Andrew

Andrew W. Donoho
Donoho Design Group, L.L.C.
a...@ddg.com, +1 (512) 750-7596

"We did not come to fear the future. 
We came here to shape it."

-- President Barack Obama, Sept. 2009

[twitter-dev] Re: What's the status of OAuth2 API?

[D. Smith]

A user can specifically authorize to join the site, like maybe have a
"Signin with Twitter" button that would use JS Api to set the access
token cookie.
Right now when Anywhere UI displays the authorization prompt it really
looks like user is authorizing the Application to get access to his
account information.
The application is then even shown on my "Connections" page in Twitter
settings just like any other application that I have authorized using
normal OAuth.

Basically it would be up to Twitter developers to make sure that the
message on that UI popup explains that they are authorizing the
application
to access Twitter on their behalf.

Right now if a user authorizes my app via Anywhere I can still get
pretty much his account details via JS and then post it to my server
in the background or even stuff all the data into cookie and pass it
to server that way.

The only difference right now is that my server cannot post to Twitter
using user's credentials, but that's not a good practice to post to
Twitter without user knowledge even if an app has the necessary oAuth
credentials.



On Aug 16, 3:39 pm, Taylor Singletary 
wrote:
> We'll have a means to exchange @Anywhere access tokens for OAuth 1.0 access
> tokens soon.
>
> Little bit of devil's advocate for the community on this topic though:
>   - Do you think that when a user authorizes your site to use @Anywhere that
> there is any implicit authorization that you should be able to exchange
> those tokens for long-lasting OAuth 1.0A REST tokens without explicitly
> indicating that you would do that?
>
> Taylor
>
>
>
> On Mon, Aug 16, 2010 at 12:36 PM, D. Smith  wrote:
> > All I say is that if the 'twitter_anywhere_identity' cookie contained
> > some type of token which could then be used on server side to get
> > actual oauth token, that would be super cool.
>
> > That's exactly how Facebook does it in their JS API, I love it, it's
> > much easier to use to the OAuth1
>
> > On Aug 16, 3:29 pm, Taylor Singletary 
> > wrote:
> > > Hi there,
>
> > > @Anywhere does use some elements of OAuth2 for its authentication process
> > > but we've yet to announce any timeline for any other support of OAuth2.
> > > OAuth2 is a gaggle of authentication methods rolled into one, and we've
> > yet
> > > to decide which profiles we'll support.
>
> > > Taylor
>
> > > On Mon, Aug 16, 2010 at 12:22 PM, D. Smith 
> > wrote:
> > > > Hello!
> > > > I looked at Twitter Anywhere API and it says the API will set the
> > > > cookie 'twitter_anywhere_identity' under my sites' domain.
> > > > This sounds like how the Facebook JS API is doing the OAuth2
> > > > authentication where I then read the value of that cookie on the
> > > > server side and then request data from facebook using that access
> > > > token.
>
> > > > Is this something that will be available soon on Twitter? I am using
> > > > the OAuth right now but I find that cookie based OAuth2 is much easier
> > > > to work with.
>
> > > > Do you already have this in beta? I would like to try it.

Re: [twitter-dev] Re: What's the status of OAuth2 API?

[Tom van der Woerdt]

I don't think that the user even knows that he/she is using @Anywhere
and not some homemade feature of the website he/she is visiting.

Also, you can do a *lot* with @Anywhere and it doesn't really change
very much when changing that to OAuth.

I don't think that the user would care, as long as the tokens are used
properly.

Tom


On 8/16/10 9:39 PM, Taylor Singletary wrote:
> We'll have a means to exchange @Anywhere access tokens for OAuth 1.0
> access tokens soon. 
> 
> Little bit of devil's advocate for the community on this topic though:
>   - Do you think that when a user authorizes your site to use @Anywhere
> that there is any implicit authorization that you should be able to
> exchange those tokens for long-lasting OAuth 1.0A REST tokens without
> explicitly indicating that you would do that?
> 
> Taylor
> 
> On Mon, Aug 16, 2010 at 12:36 PM, D. Smith  > wrote:
> 
> All I say is that if the 'twitter_anywhere_identity' cookie contained
> some type of token which could then be used on server side to get
> actual oauth token, that would be super cool.
> 
> That's exactly how Facebook does it in their JS API, I love it, it's
> much easier to use to the OAuth1
> 
> 
> On Aug 16, 3:29 pm, Taylor Singletary  >
> wrote:
> > Hi there,
> >
> > @Anywhere does use some elements of OAuth2 for its authentication
> process
> > but we've yet to announce any timeline for any other support of
> OAuth2.
> > OAuth2 is a gaggle of authentication methods rolled into one, and
> we've yet
> > to decide which profiles we'll support.
> >
> > Taylor
> >
> >
> >
> > On Mon, Aug 16, 2010 at 12:22 PM, D. Smith  > wrote:
> > > Hello!
> > > I looked at Twitter Anywhere API and it says the API will set the
> > > cookie 'twitter_anywhere_identity' under my sites' domain.
> > > This sounds like how the Facebook JS API is doing the OAuth2
> > > authentication where I then read the value of that cookie on the
> > > server side and then request data from facebook using that access
> > > token.
> >
> > > Is this something that will be available soon on Twitter? I am using
> > > the OAuth right now but I find that cookie based OAuth2 is much
> easier
> > > to work with.
> >
> > > Do you already have this in beta? I would like to try it.
> 
> 

Re: [twitter-dev] Re: What's the status of OAuth2 API?

[Taylor Singletary]

We'll have a means to exchange @Anywhere access tokens for OAuth 1.0 access
tokens soon.

Little bit of devil's advocate for the community on this topic though:
  - Do you think that when a user authorizes your site to use @Anywhere that
there is any implicit authorization that you should be able to exchange
those tokens for long-lasting OAuth 1.0A REST tokens without explicitly
indicating that you would do that?

Taylor

On Mon, Aug 16, 2010 at 12:36 PM, D. Smith  wrote:

> All I say is that if the 'twitter_anywhere_identity' cookie contained
> some type of token which could then be used on server side to get
> actual oauth token, that would be super cool.
>
> That's exactly how Facebook does it in their JS API, I love it, it's
> much easier to use to the OAuth1
>
>
> On Aug 16, 3:29 pm, Taylor Singletary 
> wrote:
> > Hi there,
> >
> > @Anywhere does use some elements of OAuth2 for its authentication process
> > but we've yet to announce any timeline for any other support of OAuth2.
> > OAuth2 is a gaggle of authentication methods rolled into one, and we've
> yet
> > to decide which profiles we'll support.
> >
> > Taylor
> >
> >
> >
> > On Mon, Aug 16, 2010 at 12:22 PM, D. Smith 
> wrote:
> > > Hello!
> > > I looked at Twitter Anywhere API and it says the API will set the
> > > cookie 'twitter_anywhere_identity' under my sites' domain.
> > > This sounds like how the Facebook JS API is doing the OAuth2
> > > authentication where I then read the value of that cookie on the
> > > server side and then request data from facebook using that access
> > > token.
> >
> > > Is this something that will be available soon on Twitter? I am using
> > > the OAuth right now but I find that cookie based OAuth2 is much easier
> > > to work with.
> >
> > > Do you already have this in beta? I would like to try it.
>

[twitter-dev] Re: What's the status of OAuth2 API?

[D. Smith]

All I say is that if the 'twitter_anywhere_identity' cookie contained
some type of token which could then be used on server side to get
actual oauth token, that would be super cool.

That's exactly how Facebook does it in their JS API, I love it, it's
much easier to use to the OAuth1


On Aug 16, 3:29 pm, Taylor Singletary 
wrote:
> Hi there,
>
> @Anywhere does use some elements of OAuth2 for its authentication process
> but we've yet to announce any timeline for any other support of OAuth2.
> OAuth2 is a gaggle of authentication methods rolled into one, and we've yet
> to decide which profiles we'll support.
>
> Taylor
>
>
>
> On Mon, Aug 16, 2010 at 12:22 PM, D. Smith  wrote:
> > Hello!
> > I looked at Twitter Anywhere API and it says the API will set the
> > cookie 'twitter_anywhere_identity' under my sites' domain.
> > This sounds like how the Facebook JS API is doing the OAuth2
> > authentication where I then read the value of that cookie on the
> > server side and then request data from facebook using that access
> > token.
>
> > Is this something that will be available soon on Twitter? I am using
> > the OAuth right now but I find that cookie based OAuth2 is much easier
> > to work with.
>
> > Do you already have this in beta? I would like to try it.