It’s been just about a year now since Twitter started using OAuth as a solution for connecting with third-party applications, but to this day we still find situations where we are asked to enter our user name and password.
According to a
by a member of Twitter’s API/Platform team, we may not need to worry about this particular nuisance, and potential security hole, much longer.
Raffi Krikorian, a self-professed “hacker, writer, and … tinkerer”, made some waves in the Twitter development arena late into last night with his blog post, which proposes a solution to a problem many developers have been keeping an eye on.
“We really want to get people to switch over and stop using Basic Authentication when talking to our API in a production manner,” he writes. “Why? Basic Authentication is, simply, horribly insecure.”
Here’s the problem, as Krikorian describes it:
You’re an OAuth enabled Twitter client, and you’ve already authorized your user. You user wants to use a media providing service like TwitPic. TwitPic, currently, asks for the username and password of your user so it can store the photo on behalf of the Twitter user. You don’t have that username and password, so how do you give the ability to TwitPic to verify the identity of your user?
Krikorian is proposing a solution he calls “OAuth identification delegation”, wherein the application your using, Tweetie in his example, passes along its OAuth authorization to TwitPic, which TwitPic can then use to verify its actions as authorized. Right now, using TwitPic requires you to enter your user name and password separately.
For now, he says the idea is still in development, writing “once I think we’ve come upon the best solution, I’ll write this up more formally, as well as port it to OAuth WRAP/2.0 (where Twitter is headed).”
Krikorian included a diagram of his solution and is soliciting feedback on his blog.