Letting a mobile/desktop app grab an OAuth token using the user’s 
username/password is still helpful because then they can store the token 
instead of the username/password, which is a big deal when there’s no really 
secure way to store it. Also, if your mobile phone/laptop gets stolen, you can 
still log in via the Twitter website and revoke access from the apps installed 
on your phone/laptop. If the app just used basic auth then the only way to 
revoke access would be to change your password. But, whoever stole your 
phone/laptop could have changed your password first (if the app was using Basic 
auth), and you’re locked out of your account.


So, a way to log in with basic auth and grab a OAuth token would can still be 


JDG wrote:

But it completely subverts the point of OAuth, because it lets a third party 
have your password. Why even use OAuth in that case?

Reply via email to