On Sun, May 02, 2010 at 07:12:00PM -0700, Mr-Yellow wrote:
> oAuth Core 1.0
> "Service Providers SHOULD allow Users to revoke Access Tokens."
> Without this end-point it's impossible for users to disconnect a
> twitter account.
> If a user links the wrong account then wishes to remove this link they
> their only option is a lot of navigation to twitters controls.

Your app can still have a 'logout' button which causes the app to forget
the user's oauth credentials.  As far as your app is concerned, this is
the same as if the credentials had been revoked.

It's not the ideal situation (if a third party had intercepted the
user's credentials and also had access to your app's credentials, they
could still use them to impersonate the user), but it *is* possible for
a user to disconnect one twitter account from an app and link another
without having to go to twitter.com and find the 'revoke credentials'

Dave Sherohman

Reply via email to