See, I think the problem is that we are talking about two different
things in the same way. There is a big difference Proxy != Delegate!
OS's do have a built in proxy authentication scheme, Windows calls it
CardSpaces, everyone else calls it OpenID.
There is a standard credential -> access token transformation that
Twitter could leverage. It's called Digest authentication and by the
pure virtue of how a hash works there is no need for a negotiation of
this token.
@Gavin: OAuth is better than handing out a password? Maybe better when
working with a third party, but it adds absolutely no benefit when using
a proxy application. Maybe you should stop using email until providers
switch IMAP and POP to OAuth. What is the point of "delegating" access
to an application on your own desktop/device? If I wanted to harvest
Twitter credentials there are simpler ways than implementing a twitter
client to do it; maybe a fake twitter client that asked for
username/password even after basic auth is expunged, or maybe just
another of the millions of spyware apps that log keyboard activity.
atebits wrote:
I'm not saying OAuth is a panacea, but it is better than handing over
a password.
That's the crux of it. It's not a panacea (the UX sucks, especially
for iPhone apps), but the fact is it's only marginally better than
handing over a password. I mentioned this in my blog post (linked
above), but if I'm a native app, I can get your password if I want it
- OAuth or not. It's nothing more than the illusion of security in
this case.
To the twitter-folk: for implementation simplicity, I think you should
run with token-based authentication and deprecate Basic Auth. All I
ask in return is a "special" API method to exchange a username
+password for an access token. This way I can collect a username
+password client side (without directing the user to a webpage) and
authenticate. From the user's perspective, it's just as easy as
OAuth. From Twitter's perspective, all authentication will be routed
the same way*.
Loren
* And then... down the road (as I mentioned in the blog) OS vendors
can step up to the plate and provide a native, system-level interface
for OAuth++ authentication. It'll be better than both worlds: just as
simple for the user as Basic Auth, and even MORE secure than OAuth-
though-a-browser.
