Hello again,

I do not recommend having individual end users register for consumer keys/secrets [1] under any circumstances. So, with that out of the way, let us focus the discussion a bit more. What can we change about OAuth that would make this better? A complete technical [2][3] discussion on what we could add that would make this better is welcomed. More than welcome, it's pretty much required before we can help. The PIN flow was the first addition to address the inherent insecurity of the consumer key/secret all desktop applications [3]. This stopped applications from being able to collect tokens by using the consumer key/secret and a confidence scam (phishing like "GoodApp needs you to re-approve us"). It sounds like there is a fervent need for something more … what do people suggest? We're working hard on the problem but many of you are working from the consumer standpoint and probably have great feedback. Please, take your time and write a well thought out reply. One- line snarky comments, while fun to write and sometimes to read, steal time from everyone reading the list, including all of the Twitter API engineers. They also make the list look less inviting to new comers.

 – Matt Sanford / @mzsanford
     Twitter Dev

[1] - People installing an instance of your server-side app are not 'end users', but other developers
[2] - Not open-source hand waving.
[3] - Closed source desktop apps have the same problem. Reverse engineering is not stopped when you don't include the source.

On Jul 1, 2009, at 9:33 AM, DWRoelands wrote:

Actually, since Twitter has said that Basic Auth will eventually go
away, OAuth is going to be the only choice for authentication.
Twitter has forced the choice by implementing OAuth in the way that
they did.

Why should a user who chooses to support open source by using an open-
source Twitter client be punished by having to go through extra hoops
that users of closed-source clients don't have to endure?

Forcing users of open source Twitter clients to register their
individual installations as Twitter applications is not a viable
solution.  Matt Sanford has even said so.

No one is asking for "easy".  I just want open source Twitter desktop
clients to be able to compete with closed-source versions when it
comes to security.  Right now, that's not possible because of
Twitter's implementation of OAuth.


On Jul 1, 11:23 am, Andrew Badera <and...@badera.us> wrote:
But that's the choice you're forced to make by OAuth, not Twitter. And
it is YOUR choice. Personally, I would probably use the conventional
mechanisms of open source: mailing lists, special interest and user
groups. Pound the pavement and promote yourself. Who said it was going
to be "easy"?

Reply via email to