> I looked through the API, the online discussion, and wrote test code
> to check both the authorize and authenticate methods.  I have not been
> able to find any difference between the two, apart from the request
> URL (and, perhaps, some differences in language between Twitter's
> authorize and authenticate pages).
> Are there any differences - or have the two URLs been implemented to
> logically separate standard Oauth from "Sign in with Twitter", but are
> otherwise identical?
> The reason I am asking is because I expected "authentication" to be
> just that - with no rights or privileges to read or write to user's
> Twitter account.  It appears that when I use "sign in with Twitter", I
> effectively gain the same level of privileges as I do via the standard
> Oauth authorize flow.

This was contrary to my expectations also, but it's in the OAuth specs,
"OAuth authentication is the process in which Users grant access to
their Protected Resources without sharing their credentials with the
Consumer." - http://oauth.net/core/1.0/#anchor9

I'm somewhat disappointed. "Access" is the definition of authorization,
not authentication. I would like to be able to differentiate between
"prove who you are" and "give me the means to impersonate you."

Chris Babcock

Attachment: signature.asc
Description: PGP signature

Reply via email to