> I looked through the API, the online discussion, and wrote test code > to check both the authorize and authenticate methods. I have not been > able to find any difference between the two, apart from the request > URL (and, perhaps, some differences in language between Twitter's > authorize and authenticate pages). > > Are there any differences - or have the two URLs been implemented to > logically separate standard Oauth from "Sign in with Twitter", but are > otherwise identical? > > The reason I am asking is because I expected "authentication" to be > just that - with no rights or privileges to read or write to user's > Twitter account. It appears that when I use "sign in with Twitter", I > effectively gain the same level of privileges as I do via the standard > Oauth authorize flow.
This was contrary to my expectations also, but it's in the OAuth specs, "OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer." - http://oauth.net/core/1.0/#anchor9 I'm somewhat disappointed. "Access" is the definition of authorization, not authentication. I would like to be able to differentiate between "prove who you are" and "give me the means to impersonate you." Chris Babcock
Description: PGP signature