let's step back.

oAuth is the general framework that we want everybody to use.  applications
no longer have to store usernames and passwords, which is "a good thing".

normally, to get access tokens, applications send users through the oAuth
workflow -- this means they bring up a webpage on twitter.com, enter
username/password there, and then the oAuth tokens are handed back to the

xAuth is a method for which to exchange usernames and passwords for those
tokens, without send the user through the workflow.  this is for two
reasons: 1. mobile/desktop application authors have complained that it makes
their UX fugly when they bring up a web browser (i'll hold my opinions on
this); and 2. web applications that have been storing usernames and
passwords need a method to "bulk convert" all their users over to oauth
tokens.  after that bulk conversion, web applications can send new users
through the oAuth web workflow.

does that clear things up?

On Mon, Apr 26, 2010 at 3:46 PM, John Meyer <john.l.me...@gmail.com> wrote:

> On 4/26/2010 4:23 PM, Raffi Krikorian wrote:
>> honestly, i wouldn't plan on it.  the "spirit" of oAuth is that the
>> user's credentials never even pass through a web application.
> Now I'm confused.  Is xAuth going to be a method unto itself of
> authenticating for the long-term, or is this the way that you are trying to
> transition Basic users to oAuth through xAuth before Basic is shut down?  If
> it's the latter, I don't know why you would even bother if oAuth is simpler
> than xAuth in the first place.
> --
> Subscription settings:
> http://groups.google.com/group/twitter-development-talk/subscribe?hl=en

Raffi Krikorian
Twitter Platform Team

Reply via email to