> It seems clear to me from Raffi's > comments on it that this third oauth flow is intended solely to enable > Twitter use from embedded applications or in other environments in which > it is not possible to use the existing oauth flows because there is no > way to bring up a browser.
And this will be enforced...how? The API is going to be smart enough to discern the "environment" from which the request originates? Of course not. The methods that allow the user-credentials-for-OAuth- tokens swap will be available to all developers. Developers who want the easier implementation and easier user experience will choose those methods, amplifying the notion that giving away your Twitter credentials to third-party apps is a good idea. > It in no way prevents or discourages use of the existing oauth flows in > scenarios where a browser is available. Prevents? No. Discourages? Absolutely. It provides an incentive for poor security decisions by developers and users.