Matt, Thank you for putting an official word in here, it is nice to not
have to speculate on some matters any longer.
I can tell by the lack of responses to my posts that people don't
totally agree with my feelings on the subject. I don't try to be
confrontational, I just tend to be very literal and a bone-headed
purist. Though, throughout the discussion I have tried to limit my
posts to facts and statements directly from the OAuth specification itself.
I've left the code for OAuth in our application so that it can be
reenabled with a simple compile switch. The overall flow was fairly
smooth, though not as simple as basic, and the couple of tickets that
are open on the topic are deal breakers for us right now. We'll present
it to our users for their consideration once the Twitter OAuth
implementation has matured a bit.
Josh
Matt Sanford wrote:
Hello there,
It seems there have been a few threads lately that end in
frustration about Basic Auth going away. Going into the OAuth beta we
were thinking that we would ideally [1] turn off Basic Auth in the
future. Based on the feedback (that's what betas are for, right?)
we've seen some usages that don't fit the OAuth model and we're
working out what we can do to go on supporting those. Supporting those
may mean some addition to OAuth [2] or keeping Basic Auth around in
some form [3]. We're still in beta and we have not set a date when
Basic Auth will be removed, nor do we know if it ever will. That's
what we're trying to figure out during this beta. All of this feedback
is helpful but sometimes it borders on FUD
I read all of the mails
on the list but I don't have time to reply to each one. Let's all say
it together: Don't Panic.
The low barrier to entry with the Twitter API it a great feature
we don't want to lose. We think about it often, and I think about it
all of the time in relation to OAuth. I see this as a concern as much
as cron jobs and TwitPic integration. Possibly more so since all of
those things are bourn of that ease of use. We don't want to lose that
ease of use and we're working to find a way to keep that and increase
user security.
I don't have all of the answers. I suggest people who fit the
OAuth flow (webapps, etc) implement it, those that are close (desktop
apps) try it, and those that are totally outside of it hang tight. We
need some desktop and mobile apps to try it so we can find out what
works. Everybody knows it's hard, but if you've used desktop apps with
the Flickr API you know it can be done pretty smoothly.
Thanks;
— Matt Sanford / @mzsanford
[1] - Ideally (adv.) - preferably; in a perfect world
[2]
- http://groups.google.com/group/oauth/browse_thread/thread/bdf8b99e84a8aaef
[3] - We're not sure what form. Maybe HTTPS only, using all of the
feedback on this list to figure it out.
