> It seems clear to me from Raffi's
> comments on it that this third oauth flow is intended solely to enable
> Twitter use from embedded applications or in other environments in which
> it is not possible to use the existing oauth flows because there is no
> way to bring up a browser.

And this will be enforced...how?  The API is going to be smart enough
to discern the "environment" from which the request originates?  Of
course not.  The methods that allow the user-credentials-for-OAuth-
tokens swap will be available to all developers.  Developers who want
the easier implementation and easier user experience will choose those
methods, amplifying the notion that giving away your Twitter
credentials to third-party apps is a good idea.

> It in no way prevents or discourages use of the existing oauth flows in 
> scenarios where a browser is available.

Prevents?  No.  Discourages?  Absolutely.  It provides an incentive
for poor security decisions by developers and users.

Reply via email to