Today, the only means to expire an access token is by the granting user
going to their Account Settings page and severing the permission granted to
your application. There is merit in what you propose but we're not pursuing
those kind of expiration features at this time.
On Wed, Jun 2, 2010 at 8:03 AM, Bernd Stramm bernd.str...@gmail.com wrote:
On Wed, 2 Jun 2010 07:06:54 -0700
Taylor Singletary taylorsinglet...@twitter.com wrote:
You can either go ahead and implement the flow, protect it in your
application such that only you have access to it, and then persist the
access token you receive until the end of time (or whenever you
decide to expire it, just like any other OAuth-enabled application).
How does an application expire an access token? There doesn't seem to be
anything in the API about that.
The application can of course decide not to use an access token any
more, but that doesn't mean the token is expired.
The application/user combination can get a new access token. Does that
expire the old token?
But suppose the application is finished doing some work, and doesn't
want the access token to work any longer. It would be nice to
explicitly say to twitter don't accept this token you gave me any
longer. Or even don't accept ANY token for this application/user pair
until re-authorized.
This would protect against stealing of access tokens and consumer keys.
For practical purposes, for standalone desktop applications, the
consumer key and secret are impossible to protect. Cloning an
application is thus very easy. If an intruder can then also capture an
authorization token, they can post fake tweets and get the user in
trouble. Or get the application blacklisted, or both.
Being able to actively expire an authorization token would help protect
against this.
Be safe,
Bernd
--
Bernd Stramm
bernd.str...@gmail.com
