Chris, I too thought that one should call verify credentials with Oauth. How are you suggesting we verify that the token is still active, another call to oauth_authenicate/authorize?
Thanks -Bob On Thu, Aug 6, 2009 at 7:51 AM, Chris Babcock<cbabc...@kolonelpanic.org> wrote: > > > > On Aug 5, 10:15 pm, Jesse Stay <jesses...@gmail.com> wrote: >> On Wed, Aug 5, 2009 at 3:04 AM, Chris Babcock >> <cbabc...@kolonelpanic.com>wrote: >> >> >> >> > I would strongly recommend OAuth for verifying users, or at least >> > making it an option, as there is a DoS attack possible against service >> > providers who rely on this API for access to their app. >> >> > Chris Babcock >> >> I'm not sure how OAuth helps, as the problem still exists, even with OAuth >> users. Even with OAuth, it is still 15 requests per user per hour on >> verify_credentials. Of course, you probably don't have to run >> verify_credentials as often with OAuth, but the problem still exists, and >> there are cases where I can see this could become an issue. >> >> Jesse > > No, you *never* use verify_credentials with OAuth because you never > handle user passwords. > > Take for example those users whose accounts are being slammed by > SpamBots. They can still log into Twitter, just not those services > that rely on verify_credentials service. Because they can still log in > on the Twitter site, they could still authorize OAuth tokens. You will > know that they have valid credentials on Twitter if the token has been > authorized when they return to your site. It's not necessary for your > app to obtain and verify the credentials directly. Your app can > completely bypass the rate limited service with its DoS potential. > > Chris Babcock > >