Ben Ward's Scattered Mind

All posts tagged oauth

I’m afraid if I add a post to twitter feature on my side project  !adactio / @adactio will freak out because I NEED to ask for a password. — Leah Culver

The ideological route is to reject Twitter for not providing a suitable API.

Alternatively, could you leave password authentication out altogether and leave it to the browser to prompt users for the username and password when the API gets called? I think I’ve seen HTTP authentication prompts come from Twitter in the past (Natimon’s Twitter http://tweetersation.com/ does when you try to view a protected stream, I think). At least that way people can choose to use the ‘Remember This Password’ feature of their browser, rather than it being stored unencrypted on your server.

Or, just have a ‘Post to Pownce’ button instead…

In response to Jeremy Keith on Pownce:

Here’s a textbook example of why the password anti-pattern is so dodgy. Because we’ve all been taught that it’s okay to hand over passwords for third-party sites, a service called MyNameIsE feels that is perfectly acceptable to use that sensitive information to post a Twitter message from your account!

If you’re one of the people who signed up to this service, I’d love to hear how you felt when you saw this message (ostensibly from you) show up on Twitter.

I know I was ragging on Pownce for still using the password anti- pattern in parts of the “find friends” feature but man, they would never do anything like this!

You’re mostly correct, although I think you put the emphasis of this argument in the wrong place.

Even if Twitter used OAuth, a service you link would still be able to nefariously post spam to your account. The vital difference, and the part that should be emphasised, is not that they’re prevented from doing it, it’s that you’re able to revoke their ability to do it, without changing your password, and without having to update your other third party applications.