So basically you are saying Twitter wants a chokehold to block apps they
don't like which you don't currently have with basic auth.


Considering your recent purchase of a twitter client is that really a
message you want to be spreading at the moment?


How about leaving it up to end users to make the decision about which
clients they do and don't use to access twitter. Restricting all clients
to oauth only is hardly going to give developers warm and fuzzy feelings
that with a single keystroke a client can be banned instantly across the
entire ecosystem.


Or am I missing something?









[] On Behalf Of Raffi
Sent: Wednesday, April 14, 2010 8:59 AM
Subject: Re: [twitter-dev] Re: Basic Auth Deprecation


in my ideal world, nobody would have access to a user's password except -- oauth provides a framework so end applications are not
storing the actual password.  people are notoriously bad with using the
same password on lots of different sites.  additionally, oauth provides
twitter better visibility into the traffic coming into our system, so we
can better shape traffic needs, we can provide auditing back to users on
which applications are doing what actions on their behalf, etc.


On Wed, Apr 14, 2010 at 5:39 AM, Dean 'at' Cognation dot Net
<> wrote:

But why is oauth better than basic for a desktop client?

i understand it for the webapps but on a desktop client whats the

Basically you are saying the desktop end user cant be trusted? Sorry
but that doesn't make any sense.

Please explain.


On Apr 14, 1:15 am, Taylor Singletary <>

> Basic auto being turned off means just that..
> Desktop clients can implement xAuth as an alternative, where you do a
> one-time exchange of login and password for an OAuth access token and
> continue from there signing your requests and doing things in the
> OAuth way. You'd no longer, as a best practice and one that I would
> stress in the upmost even on a desktop client, store the login and
> password beyond the xAuth access token negotiation step. If the token
> were revoked you would then query for the login and password again and
> so on and so on and also and also.
> Obtaining permission to use xAuth for desktop clients is as easy as

> sending a well-identified and verbose note to

> Basic auth had a good run. It's nearly time to say goodnight.
> Taylor

> On Tuesday, April 13, 2010, Dean Collins <> wrote:
> > Just so I understand this, applications running on the desktop will
still work correct? Basic functionality is only being turned off for web
apps correct? It's not like desktop apps will have to start using oauth.
> > Cheers,
> > Dean
> > -----Original Message-----
> > From:
[] On Behalf Of Dewald
> > Sent: Tuesday, April 13, 2010 7:31 PM
> > To: Twitter Development Talk
> > Subject: [twitter-dev] Re: Basic Auth Deprecation
> > Could you please announce the hard turn off date somewhere on one of
> > your Twitter blogs about a month ahead of time, so that we all have
> > official source to point our users to when we explain to them why
> > we're converting everything over to OAuth?
> > On Apr 13, 8:19 pm, Raffi Krikorian <> wrote:
> >> we have announced deprecation, and will hard turn off basic
> >> in june.  the exact date has not been set, but i presume it will be
later in
> >> the month.
> >> Is Basic Auth going to be deprecated (as in hard switched-off) in
> >> > June, or are you in June going to announce depracation, with the
> >> > switch-off then coming a few months later?
> >> --
> >> Raffi Krikorian
> >> Twitter Platform Team
> > --
> > To unsubscribe, reply using "remove me" as the subject.
> --
> Taylor Singletary

> Developer Advocate, Twitter Hide quoted text
> - Show quoted text -

Raffi Krikorian
Twitter Platform Team

Reply via email to