On Thu, Dec 10, 2009 at 07:33:28AM -0700, John Meyer wrote:
> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth that
> the application didn't need to know the username/password? That the
> user would grant access to the application and then the application
> would store that rather than the actual username/password. Or am I
> missing the point of going to an oAuth system?
That is *a* point of oauth, not *the* point.
It's probably the most obvious point from a naive end-user viewpoint,
but there are also other advantages to oauth, even when the keys are
obtained by entering your username/password. Just off the top of my
- The app doesn't need to store your username/password in a retrievable
format, so an attacker who compromises the application's data store
will not gain access to them.
- Your username/password will not be transmitted across the internet or
wireless LAN connections on every request made, which greatly reduces
the window of vulnerability for an attacker to intercept them in
- You can change your Twitter username and/or password without then
having to immediately reauthorize the app by re-entering the new
- Conversely, if you wish to revoke a specific app's access, you can do
so without affecting any other application. (Unless the app in
question has stored your username/password in a retrievable format, in
which case it could just get new oauth credentials, of course.)
- If oauth is the only allowed authentication method, a rogue app would
not be able to gain full access to your account. Perhaps most
importantly, it would not be capable of changing your password and
locking you out.
- On Twitter's side, I'm sure it will simplify things considerably for
all API methods to support only a single authentication method.