OAuth definitely sells itself as more than just a non-password-based
authorization protocol. Just as important as not sharing the user's
password is the value/usefullness of the information being accessed to
service consumers. Look at where OAuth 2.0 is headed with the
inclusion of scope parameters in the standard. Even the "hello world"
use case of OAuth is a user granting consent to a printing application
to access "their photos" on another website. As a user who setup my
own account on twitter I should be allowed to selectively share pieces
of MY user profile with other apps. Facebook obviously get this, and
while I am sure the folks at Twitter do too, they have chosen not to
provide this function. That is is an unnecessary inhibitor, not a
selling point of the site. I am not suggesting it should be in the
default scope, but it should be requestable via a scope parameter in
the redirect-for-authorization step, and if granted should be in the
returned data.

I have developed implementations of OpenID, OAuth and Infocard from
the ground up, so know precisely what the capabilities are. OpenID
doesn't offer any more or less in the way of attribute sharing than
OAuth - it's what the deployers of the technologies choose to expose
from their databases that makes the difference. I'm suggesting Twitter
should let users decide what to share, not always hide what many
consider to be the single most useful attribute of a user's profile.

On Sep 9, 1:12 am, Tom van der Woerdt <> wrote:
> I disagree - the idea behind OAuth is to provide access to information
> on a server without the need for sending usernames/passwords. Nothing
> more than that. ;-)
> You may like OpenID though.
> Tom
> On 9/8/10 3:01 PM, shanew wrote:
> > Thanks for the reply Ken. I understand all you have said, but the real
> > power of protocols like OAuth is user consent of their own attribute
> > data. My entire goal is to *avoid* having to ask a user to re-enter
> > their emal address. In this particular use case "minimally invasive"
> > is eqivalent to "minimally useful".
> > On Sep 7, 7:58 pm, Ken <> wrote:
> >> Twitter has distinguished itself as a "minimally invasive" social
> >> network. The API gives you the ability to replicate and build on the
> >> communication model appreciated by Twitter users.
> >> It's about brevity, it's lightweight and of course you can reach your
> >> followers inbox by direct messaging, if the user accepts email
> >> notifications.
> >> Meanwhile, verify_credentials gives you what you need to set up their
> >> account and log them in when they return. If you need a user's email
> >> address, just ask them for it.
> >> Ken- Hide quoted text -
> - Show quoted text -

Twitter developer documentation and resources:
API updates via Twitter:
Issues/Enhancements Tracker:
Change your membership to this group:

Reply via email to