Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-13 Thread ryan alford
I've been using OAuth for more than 3 months now, about 8 hours a day during
the week while at work, using my own library and my own twitter client.
 I've never had an issue with stability.  Now the desktop implementation is
crappy(been posted about 50 billion times), but other than that, I've never
run into issues with OAuth.

Now I don't use search or streaming, though I don't even know if those use
OAuth.

Is there a specific stability issue?

Ryan

On Wed, Jan 13, 2010 at 4:32 PM, Dewald Pretorius dpr...@gmail.com wrote:

 Raffi,

 As I have noted before, the reliability of OAuth is an actual concern.
 Also the availability of that easy one-time migration method (getting
 the OAuth stuff when you have the username and password).

 Twitter OAuth is still in beta. Ryan said that migration to OAuth will
 become mandatory this year. That cannot be done until you move Twitter
 OAuth into stable production mode. If you do not have the necessary
 confidence in your OAuth implementation to do that, then you cannot
 force anyone to use it.

 On Jan 12, 3:01 am, Raffi Krikorian ra...@twitter.com wrote:
   As it stands, developers who have relatively new desktop apps are
   penalized by having updates from their app say 'from web'. Older Basic
   Auth desktop clients continue to enjoy a link back to the client web
   site with a 'from app' link.
 
  ...
 
   I understand Twitter is trying to force people to use OAuth, but that
   won't happen in a meaningful way until OAuth is reliable, has a truly
   usable workflow (PIN method isn't it), and can work well with other
   services (Twitpic, yfrog, etc). We aren't there yet.
 
  i'm trying to gather use cases around OAuth to help it make sense for
 more
  people to use it -- as it stands, we are not going to allow the source
  parameter to be set in new applications unless they come from OAuth.  so,
  please help me out!
 
  is the reliability of OAuth an actual concern?  do you have a suggestion
 as
  to what you would like to see other than the PIN workflow?  additionally,
  we're actively working on a delegation method for integration with
 other
  services.
 
  --
  Raffi Krikorian
  Twitter Platform Teamhttp://twitter.com/raffi



Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-13 Thread Tim Haines
On Thu, Jan 14, 2010 at 10:52 AM, ryan alford ryanalford...@gmail.comwrote:

 I've been using OAuth for more than 3 months now, about 8 hours a day
 during the week while at work, using my own library and my own twitter
 client.  I've never had an issue with stability.  Now the desktop
 implementation is crappy(been posted about 50 billion times), but other than
 that, I've never run into issues with OAuth.

 Now I don't use search or streaming, though I don't even know if those use
 OAuth.

 Is there a specific stability issue?

 Ryan



I've found it just as stable as the rest of the API.  It's not perfect, but
is generally pretty good.  My main concern is that I'd like the mobile pages
to be formatted for mobile devices.

Oh - and the ability to delegate between apps.  Sooo looking forward to
that.

Tim.


Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-13 Thread ryan alford
I agree.  I believe OAuth for mobile and the delegation between apps are the
biggest concerns that need to be addressed before the depreciation of basic
oauth in June.  Both of these have been beaten to a pulp.  However, these
issues certainly do not push OAuth into an unstable beta state that couldn't
be used in production apps.

Ryan

Sent from my DROID

On Jan 13, 2010 5:46 PM, Tim Haines tmhai...@gmail.com wrote:



On Thu, Jan 14, 2010 at 10:52 AM, ryan alford ryanalford...@gmail.com
wrote:   I've been using O...
I've found it just as stable as the rest of the API.  It's not perfect, but
is generally pretty good.  My main concern is that I'd like the mobile pages
to be formatted for mobile devices.

Oh - and the ability to delegate between apps.  Sooo looking forward to
that.

Tim.


Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-13 Thread Josh Roesslein
On Tue, Jan 12, 2010 at 11:21 PM, Raffi Krikorian ra...@twitter.com wrote:
 If that is the reason for disallowing the source param, why is this
 policy not being applied uniformly? How would users of Tweetie,
 Twitterrific, etc. feel if all their updates now said 'from web'? How
 would the developers of those apps feel?

 those applications have been grandfathered in -- requiring oauth to set the
 source parameter applies to newer applications.
 --
 Raffi Krikorian
 Twitter Platform Team
 http://twitter.com/raffi


Not sure I agree with twitter discission to give the current
applications a break, yet force new apps to conform. Come on its been
like 6 months, pull the plug already and stop babying these old apps.
So new apps should have to deal with the headaches, while these guys
get to sit back and relax until things cool down?? Heh.

 the ability to forge the source parameter is too easy when simply using 
 basic auth.

That's a pretty lame excuse. Desktop apps using oauth are just as
susceptible to this as basic apps. You must distribute your consumer
credentials with the app. A hacker can strip these and use them for
forging. So OAuth provides no protection there.
Only safety to be had with oauth is with server based apps that can
keep their credentials safe.

Josh


Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-12 Thread Raffi Krikorian

 What is the reason for no longer allowing the source parameter for
 Basic Auth desktop apps?


the ability to forge the source parameter is too easy when simply using
basic auth.

-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi


Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

2010-01-12 Thread Raffi Krikorian

 If that is the reason for disallowing the source param, why is this
 policy not being applied uniformly? How would users of Tweetie,
 Twitterrific, etc. feel if all their updates now said 'from web'? How
 would the developers of those apps feel?


those applications have been grandfathered in -- requiring oauth to set the
source parameter applies to newer applications.

-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi