Eventually, once we've got user experience solutions that work for the 80% case, we'll be moving off of Basic Auth entirely. But not before desktop app developers are happy. It's going to take some experimenting, but I'm sure that we can find some good solutions between the smart folks in this community and those in the greater OAuth/web standards community.
OAuth doesn't prevent evil folks from shipping Twitter apps that might be trojans, but it does allow us here at the Mother Ship to revoke their ability to talk to the Twitter API. That means less spam/"SEO" tools, and a short time-to-live for applications that are discovered to be malicious. On Tue, Feb 17, 2009 at 10:17, Aral Balkan <[email protected]> wrote: > > Hey @al3x et. al., > > What's the official stance towards oAuth and desktop apps: will all > apps, *including desktop apps* be required to implement oAuth? > > I'm asking 'cos of the old usability chestnut. > > And, at which point do you actually begin to trust an app that you've > installed onto your system with all sorts of other rights like > deleting files off of your machine or sending info from your machine > to the Net. At which point does user beware come into it? > > The real benefit of oAuth, as I see it; being able to revoke access, > is as simple as uninstalling the app. Then again, of course, the app > could send your details to a site. But, again, this is a desktop app > you've installed -- if it's that malicious, it could be doing all > sorts of trojany things that are far worse. > > Thoughts? > > Thanks, > Aral > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
