Recently I have spend some time to check out Twitter and figure out whether or not it is feasible work on some kind of integration within the Coalevo Project (see my recent development entry Twittering ...from the Terminal!). Digging into the API one of the first things that struck me was the exclusive (i.e. no other supported) use of Basic HTTP Authentication. Digging a bit deeper, I realized that Twitter is planning to switch to OAuth as a replacement for this Basic Authentication mechanism:
[...]
Once the rest of the bugs are ironed out, OAuth will become the supported authentication system for Twitter, and HTTP Basic Auth will be deprecated after six months.
[...]
My understanding of OAuth so far was very much tied to a 3-tier use case: A user that is using a service (Service 1) that wants to enable a third-party service (Service 2) to access certain resources at the first service. The classical example being the printing service being authorized to access photos at the user’s photo sharing site (see Hueniverse.com Beginners Guide to OAuth, Part II).
Also I stick to my opinion that OAuth is about authorization, not authentication (read Appendix B. Security Considerations of the OAuth Specification, and see my entry OAuth is NOT about authentication).
I am really confused about the fact that Twitter chose OAuth (for their API):
1) for authentication; and
2) to replace HTTP Basic Authentication; and
3) to make it exclusive in the near future.
Especially when reading what Alex Payne has to say about himself:
[...]
I’ve done information security work for a military and intelligence contractor
[...]
[...]
my professional expertise has been in web application development and computer security
[...]
Obviously I am not the only one with doubts: Should Twitter discontinue their Basic Auth API?
Logically they are looking for a replacement, because Basic Authentication isn’t secure over non-SSL connections (which many client libraries won’t use, or even allow to configure), and SSL is a big overhead if it is just used to conceal the Basic Authentication information; however, maybe they should turn elsewhere for better ideas......
Update 10/01/13:
The problem of OAuth in Twitter (for Applications that are not Web Applications running in a Browser) in practice, as presented from the point of view of a successful Twitter App Developer:
Fixing OAuth
0 comments:
Post a Comment