Agreed. I do believe that the use of HTTP Basic Auth was key to the quick growth of the 3rd-party app community of Twitter, as the auth scheme is so well-understood and supported. This may or may not be as important at this point business-wise, as I suspect the Twitter userbase is large enough to overcome a fair bit of lazy user intertia. I wonder if we will see a lot less interesting API hacking (the good kind), though, and I think that would be a shame.
While OAuth makes a ton of sense for website-based apps, it's kind of another kettle of fish for locally-hosted apps (desktop and mobile). Moving to OAuth-only is problematic for us for these reasons: 1. it complicates (and confuses) the process for users: instead of entering a username and password -- a well-understood, common process -- now the app has to push the user to a web site which hopefully explains what's going on decently. This works okay for web dorks like us, but I guarantee your avg user is going to find this confusing. Maybe not as confusing as OpenID, though. 2. updating locally-hosted apps to use a new authentication system is an issue of getting thousands (or higher orders) of users to upgrade. 6 months may not be enough, even for currently active applications. Stuff in development *cough*like mine*cough* now could find themselves having to toss out a ton of code they're knee-deep in right now. Yucky. My preference would be to *not* see HTTP Basic Auth go away in the foreseeable future. If that's not reasonable or possible, the 6-month window (even given that the "countdown" may not start for a few months) is pretty tight for comfort, and extending it would be much preferred. Note: One might wonder why I only mention these issues in the context of local apps rather than web apps. I think the expectations and user behavior tendencies are fairly different in the desktop and mobile app space, and there are a number of ways malware is detected and contained in this area. The web app space is a lot more open and easy to exploit, and likely will be unless the whole paradigm changes. -- Ed Finkler http://funkatron.com AIM: funka7ron ICQ: 3922133 Skype: funka7ron On Feb 4, 10:03 pm, Cameron Kaiser <[email protected]> wrote: > > I'm still (softly) repeating the hope that this will be extended, even if > the Basic Auth API remains deprecated and static. An OAuth workflow is > constrained for desktop apps, and for apps that aren't or can't use a web > browser (in my case, text-mode twitter clients; other cases include all those > little curl scripts posting monitoring information, task status, etc.), OAuth > won't work at all. > > I fully support OAuth, but where appropriate. I think Ed Finkler said it > best when he said the breadth of Twitter applications currently extant > wouldn't exist were it not for a low barrier to entry. OAuth makes sense > in many places, but it doesn't make sense everywhere, and I hope alternate > methods of authentication remain possible even if they are intentionally > limited to steer preferred traffic to an OAuth workflow. Otherwise I suspect > the ecosystem "outside the browser" will be greatly reduced. > > -- > ------------------------------------ personal:http://www.cameronkaiser.com/-- > Cameron Kaiser * Floodgap Systems *www.floodgap.com* [email protected] > -- Critics are the unpaid guardians of my soul. -- E. Stanley Jones > -----------
