On Mon, Oct 12, 2009 at 11:01 AM, Ryan Sarver <rsar...@twitter.com> wrote:
> 1. What can be improved about the web workflow?
> 2. What can be improved about the desktop workflow?
> 3. What other models of distributed auth do you think we could learn
> from and what specifically about them?
> 4. What could we improve around the materials for integrating OAuth
> into your application?
This is a given coming from me (I wrote O'Reilly's FBML Essentials), but I
strongly recommend looking at the way Facebook is doing it with Facebook
Connect - if you're logged into Facebook and have authorized the app, no
further auth is necessary - you click the "Connect with Facebook" button,
Facebook tells your app it's already authorized (without sending the user
through the authentication or authorization process again), and you can then
give the user a session in your app. It's a simple one-click workflow that
only turns into a more-than-one-click workflow when absolutely necessary.
I also like that their authorization process naturally provides a popup
instead of forcing the app to completely redirect to another site to
authorize. True, you can do this on your own through a window.open() call
of some sort with Twitter, but with Facebook, they provide all the code that
does this process automatically. No worry about backend code or anything
else on your part. It's very simple to implement (to the extent they've
even built a Wizard to give you the code you need to copy and paste on your
That's just my $.02. Maybe Twitter can try to work with Facebook (gasp!) to
try and come up with an open protocol of some sort that standardizes this
type of authorization effort. Let me know if I can help any in moving
towards this type of authorization flow - it's a much simpler process IMO.
(not to mention it opens up even greater possibilities in a desktop or
mobile environment as well)