Thursday, September 2, 2010

How Not To Use OAuth

The OAuth protocol avoids the problem of giving your credentials to third party client applications and web sites when you want them to access your data on another site. Twitter is an example of how not to use OAuth.

It seems the genii who run Twitter require client software identify themselves with a consumer secret and key, which has to be embedded in the application somehow. Obviously, this is huge problem for open source applications, since it is impossible to obfuscate anything when people can see the source code.

As the article points out, the OAuth RFC actually recommends against using the consumer key protocol to identify application as Twitter is doing. Isn't it great when companies ignore standards for the sake of their own business goals? ^_^

No comments:

Post a Comment