I too could be wrong, and often am, but I don't see anything in the OAuth specification (http://oauth.net/core/1.0a) about what an access token could or does allow access to, i.e., reading resources as opposed to reading and writing resources. The spec seems to be completely silent on the "granularity" of access that is granted to resources via its mechanisms. So I think twitter would be perfectly legitimate in granting authentication only, authentication and read access, and authentication and read and write access "levels" of authorization. I have previously proposed that the ability to geocode tweets be an additional level of authorization, and I could also see additional levels, or orthogonal capabilities, for, e.g., enabling geo-coding, access to e-mail addresses and device phone numbers, etc. Comments expected and welcome. Jim Renkel -----Original Message----- From: firstname.lastname@example.org [mailto:twitter-development-t...@googlegroups.com] On Behalf Of JDG Sent: Monday, September 28, 2009 17:20 To: email@example.com Subject: [twitter-dev] Re: About the oneforty application directory Unfortunately, best as I can ascertain, that would violate the OAuth spec (I may, of course, be wrong -- I often am :-) ). There are RW tokens and RO tokens, but no Auth-only tokens. The best you could hope for, given the current state of the spec, would be for an app to simply get, then discard, the Access token.
This is a good use case for OAuth, and perhaps should be brought up with them as a scenario for future versions of the spec. On Mon, Sep 28, 2009 at 14:47, Jim Renkel <james.ren...@gmail.com> wrote: Yes, you can check the "Yes, use Twitter for login", or not. I'm not sure what this does, either way. But you have to select one of the "Read & Write" or "Read-only" radio buttons under the "Default Access type:" heading. There doesn't appear to be any way to turn them both off. So it seems you have always request (and receive) at least read access to the data of user's that authorize your application to act for them on twitter. This is what I and others were trying to point out, and object to: you can't authorize without granting read access. Why authorize without granting read access? Just to verify that they are the twitter user they claim to be, without reading, or writing, any of their data. Jim Renkel -----Original Message----- From: firstname.lastname@example.org [mailto:twitter-development-t...@googlegroups.com] On Behalf Of Brian Smith Sent: Monday, September 28, 2009 09:32 To: email@example.com Subject: [twitter-dev] Re: About the oneforty application directory Dossy Shiobara wrote: > It would be nice if Twitter made "authentication only" as an option for > OAuth. Twitter already has this. It is called "Sign in with Twitter." - Brian -- Internets. Serious business.