Comments on: Twitter fixes oAuth for desktop and mobile with xAuth

By: Jay

Jay — Tue, 07 Sep 2010 02:55:19 +0000

Thanks for the clean upgrade to xAuth, Aral!

One thing though, I was using your library and couldn’t get my friends tweets + my own to show up. I found out later that this is because the API included has an older version of MGTwitterEngine. The newest one includes a new function, “getHomeTimeline” which reflects the latest Twitter API.

By: Console Bloke

Console Bloke — Thu, 22 Apr 2010 14:42:49 +0000

I’m new to all this and got the job of trying to integrate twitter with our game which is running on both PS3 and 360 and the fact they are deprecating Basic Authentication in favour of oAuth was enough to make me nearly give up till I read this. So I’m praying that xAuth is what I need unless there is any way of using oAuth without a browser.

By: iphoneholic

iphoneholic — Tue, 23 Feb 2010 03:43:59 +0000

So oAuth gives an application a token it can use to access my account with the same authority as my username/password. This token will accompany method calls from this application to my account so that each request can be authenticated.

So how is this better (or even different) than giving the application my username/password credentials in the first place? The access rights are identical in either case, as are the security risks. A stolen token is as serious as a stolen password is it not?

Maybe I’m missing something, but I just don’t see any advantage oAuth offers an end-user application over Basic Auth credential authentication via https. After all, if your own Twitter application can’t be trusted with your username/password, what makes someone think their internet browser can be?

I think oAuth was really thought up to help social networks share user data with one another without sharing specific account credentials. That perhaps makes a little better sense. Attempting to ubiquitously extend that to individual user apps is a gross misapplication IMHO.

By: Aral

Aral — Fri, 05 Feb 2010 13:55:15 +0000

oAuthlover Fat: I don’t think there’s anything else I can say that I haven’t already said in the article. I can only hope that the oAuth working group do not share your fundamentalist view.

As I see it, the oAuth working group has two options: either embrace the pragmatic solution for desktop or mobile apps (which it xAuth) or watch as it becomes a de-facto standard and risk irrelevancy.

By: Aral

Aral — Fri, 05 Feb 2010 13:40:42 +0000

Hey Noel,

First off, thank you for your kind words on the blog, I appreciate it :)

Re: xAuth, the point I was trying to make was not that it is any more secure than what the Exposure app does, it was that it isn’t any less secure. :)

PS. Edited your comment to change the quote since I updated the article.

By: OAuthlover Fat

OAuthlover Fat — Thu, 04 Feb 2010 22:53:58 +0000

And yet the user still must risk giving their login credentials to a third party. There is no win here. There’s no excuse for this. UX is about understanding users. The first thing to understand about users is that their login credentials pose a security risk for not only the originating site but every site the user ever has used.

This trumps everything.

By: Noel

Noel — Thu, 04 Feb 2010 15:39:56 +0000

Hi Aral,

I’ve been reading your blog for a while, its really great.

I had a little trouble following your points about how xAuth is more secure than some of the examples you gave like the Exposure app.

“it has often been circumvented by loading the oAuth authorization screen in a web control. As the Exposure iPhone App example in the previous link shows, this nullifies the advantages of having a trusted third-party application present the page, along with its URL, to the user.”

I understand how this is less secure than flipping over to a browser. However, replacing a web pane login with a login built directly into the app itself (“LoudBird asks the user for her username and password”) seems equally insecure.

Am I missing something?

By: Damon Oehlman

Damon Oehlman — Thu, 04 Feb 2010 12:27:38 +0000

Great post Aral – thanks for creating such a comprehensive post on the state of mobile oAuth with regards to Twitter. Will be interesting to see what other players do in the space.