On Thu, Dec 10, 2009 at 07:33:28AM -0700, John Meyer wrote:
> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth that  
> the application didn't need to know the username/password?  That the  
> user would grant access to the application and then the application  
> would store that rather than the actual username/password.  Or am I  
> missing the point of going to an oAuth system?

That is *a* point of oauth, not *the* point.

It's probably the most obvious point from a naive end-user viewpoint,
but there are also other advantages to oauth, even when the keys are
obtained by entering your username/password.  Just off the top of my

- The app doesn't need to store your username/password in a retrievable
  format, so an attacker who compromises the application's data store
  will not gain access to them.

- Your username/password will not be transmitted across the internet or
  wireless LAN connections on every request made, which greatly reduces
  the window of vulnerability for an attacker to intercept them in

- You can change your Twitter username and/or password without then
  having to immediately reauthorize the app by re-entering the new

- Conversely, if you wish to revoke a specific app's access, you can do
  so without affecting any other application.  (Unless the app in
  question has stored your username/password in a retrievable format, in
  which case it could just get new oauth credentials, of course.)

- If oauth is the only allowed authentication method, a rogue app would
  not be able to gain full access to your account.  Perhaps most
  importantly, it would not be capable of changing your password and
  locking you out.

- On Twitter's side, I'm sure it will simplify things considerably for
  all API methods to support only a single authentication method.

Dave Sherohman

Reply via email to