1. I think the current text makes it clear which account is being used.
2. Not sure I like the idea of auto sign out. Maybe instead if the username
is provided
as an additional parameter twitter will display the login prompt with
the username provided.
The the user just enters their password and authorizes the app. This way
the browser cookie
for the currently active session is not affected and will remain active.
A suggestion I might make is not asking for the user's twitter username
before authorization. Instead
have the user go to twitter and authorize which account they want. Then when
they return back and you
get the access token then detect which username is being used if you need
it. You could even double check
with the user that this is the account they want.
On Mon, Aug 3, 2009 at 1:55 AM, Coderanger <d...@coderanger.com> wrote:
>
> I am looking into adding OAuth authentication to twitcher (http://
> coderanger.com/twitcher), my twitter client, and have a couple of
> suggestions:
>
> 1. The authorisation page at twitter.com, isnt particularly clear as
> to the account being authorised. This could be an issue with users
> authorising multiple accounts from an app. Can I suggest it is split
> into paragraphs and the account name is added to the heading, like:
> ~~~~~~~~~~~
> An application would like to connect to your '<accountname>' account.
>
> The application twitcher by Coderanger.com would like the ability to
> access and update your data on Twitter. This application plans to use
> Twitter for logging you in in the future.
>
> Sign out if you want to connect to an account other than
> <accountname>.
> ~~~~~~~~~~~
>
> 2. It would be useful if you could pass the username up to the
> authorisation page along with the authorisation token. Then at your
> side, if the username is different to the one currently signed in, you
> can auto sign out and place the new username passed into the username
> text input ready for signing in by the user. I think this will improve
> workflow for the customer where multiple-accounts are involved, but
> also when upgrading a system that has been using BasicAuth, and avoid
> potential confusion and mistakes. I dont think there can be any
> security implications for doing this so it would be a possible change
> should you so desire.
>
> Thanks
--
Josh
