How Does TwittPic Works ?

[Feras Allaou]

Dear Sirs,

I was trying to do oAuth to use Twitter API but I was surprised that
TwitPic doesn't use this Authentication method ! so How could TwitPic
publish it's name when it updates the status ?
I mean if I use simple Auth method the message will be sent using API
which means Twitter API.
but When I was OAuth the sending method will be my Twitter Client ,
right ?
So how does TwitPic sending method is TwitPic & they don't use Oauth ?

Regards,
Feras Allaou

[Josh Roesslein]

They where grandfathered in. Any applications prior to OAuth are still allowed to set the source
via basic auth until June when basic auth is planned to be shutdown. All new applications may only
set the source parameter via OAuth.

[Lukas Müller]

Only old apps can do this. New apps cannot use it.

[Pedro Junior]

Seesmic Look is old?

-
Pedro Junior

2010/2/2 Lukas Müller <webm...@muellerlukas.de>

[Dewald Pretorius]

At first I thought they must have changed the old Seesmic source to
Seesmic Look.

But no.

Here's a recent tweet from Seesmic:
http://twitter.com/CathyBrooks/status/8570217879

And here's a recent one from Seesmic Look:
http://twitter.com/adamse/status/8565271563

Seesmic Look uses Basic Auth.

Does anyone else spot Mt Everest on this level playing field of ours?

On Feb 2, 10:41 pm, Pedro Junior <v.ju.ni.o...@gmail.com> wrote:
> *Seesmic Look is old?
> *
> -
> Pedro Junior
>
> 2010/2/2 Lukas Müller <webmas...@muellerlukas.de>

[Dewald Pretorius]

Raffi,

What's going on here?

Your credibility is at stake here. You've been telling us in many
posts that new apps must use OAuth to get a source attribution, and
only old grandfathered apps have source attribution with Basic Auth.

[Raffi Krikorian]

seesmic look, i believe, is using oauth talking to api.twitter.com.

--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

[Dewald Pretorius]

Raffi,

Have you tried it? There is no OAuth flow. I.e., the user types in his
Twitter username and password. That's it.

If it is indeed using OAuth, does that mean that the background
requesting of tokens when you have the Twitter credentials is now
available? Meaning, I can also now use it to convert all existing
Twitter accounts to OAuth in one fell swoop?

[Raffi Krikorian]

it will be available publicly soon!

[Dewald Pretorius]

Thanks!

I installed Seesmic Look, but never thought of checking the
Connections tab in Twitter.

Crow does not taste all that bad with a thick layer of mustard and
spices.

[Ted Nyman]

That is definitely good news, thanks for the update.

-Ted

On Wed, Feb 3, 2010 at 11:49 AM, Raffi Krikorian <ra...@twitter.com> wrote:

it will be available publicly soon!

On Wed, Feb 3, 2010 at 11:43 AM, Dewald Pretorius <dpr...@gmail.com> wrote:

Raffi,

Have you tried it? There is no OAuth flow. I.e., the user types in his
Twitter username and password. That's it.

If it is indeed using OAuth, does that mean that the background
requesting of tokens when you have the Twitter credentials is now
available? Meaning, I can also now use it to convert all existing
Twitter accounts to OAuth in one fell swoop?

On Feb 3, 3:02 pm, Raffi Krikorian <ra...@twitter.com> wrote:
> seesmic look, i believe, is using oauth talking to api.twitter.com.
>
>

[Cameron Kaiser]

> > If it is indeed using OAuth, does that mean that the background
> > requesting of tokens when you have the Twitter credentials is now
> > available? Meaning, I can also now use it to convert all existing
> > Twitter accounts to OAuth in one fell swoop?
>

> it will be available publicly soon!

Excellent!

--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Two rules for ultimate life satisfaction: 1) Don't tell people everything. -

[Nik Fletcher]

Hi Raffi

This is great news. We're currently using OAuth in Socialite on OS X
[and I believe we're one of the few OAuth apps out there on the Mac].
How will the migration process go for existing desktop apps that are
using OAuth and want to switch to this far better implementation?

Thanks

Nik

--
Nik Fletcher
Support & QA Manager, Realmac Software

[Raffi Krikorian]

hi nik.

i'm not entirely certain yet.  i'm working on a blog post that will hopefully outline what our plans with oauth is moving forward -- being sick just threw a damper in getting it out :P

[Zac Bowling]

Yes, what magic is this?

I'm confused. It takes username and password but then uses OAuth?

I wonder if they are injecting the username/password into the OAuth form on the page.

Twitter should really randomize that page or require captcha or something.

Zac Bowling

[Dewald Pretorius]

Zach,

There's a soon to be published API method where you can silently get
the OAuth tokens when you have the account's Twitter username and
password, meaning the user does not experience any of the normal OAuth
flow.

I presume that Seesmic just got early access to that method.

So, in this case, user-to-app requires Basic Auth credentials, but app-
to-Twitter uses OAuth once the app has obtained the tokens with the
new method.

[Abraham Williams]

I poked around Seesmic Look a little and this is what I found: http://the.hackerconundrum.com/2010/02/sneak-peek-at-twitters-browserless.html

Abraham

--
Abraham Williams | Community Advocate | http://abrah.am
Project | Out Loud | http://outloud.labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Sent from Seattle, WA, United States

[Dewald Pretorius]

Interesting, Abraham.

Don't we ever need OAuth Wrap, otherwise that x-auth-password will be
sent in clear text, kind of making a mockery of the whole OAuth thing.

On Feb 4, 6:35 pm, Abraham Williams <4bra...@gmail.com> wrote:
> I poked around Seesmic Look a little and this is what I found:http://the.hackerconundrum.com/2010/02/sneak-peek-at-twitters-browser...

[Abraham Williams]

I would imagine that Twitter will require SSL for xAuth calls.

Abraham

[Raffi Krikorian]

totally.

[Greg]

However - will we ever see the ability for 3rd party applications to
talk to eachother using oAuth tokens? For example a custom twitter
oAuth application using TwitPic to publish photos?

[Sean Callahan]

TweetPhoto offers an OAuth solution for uploading photos.

Please check out the link below and let me know if you have any
questions.

http://groups.google.com/group/tweetphoto/web/oauth-signin

Thanks!

Sean

[Raffi Krikorian]

i'll be posting our proposal for "oauth delegation" soon as a RFC.

[Pedro Junior]

Great news!

Thanks!

-
Pedro Junior

2010/2/4 Nik Fletcher <nik.fl...@gmail.com>

[isaiah]

Oh wow, oh wow, oh wow!

[isaiah]

oh wow!
how do i get in on this sweet UX goodness?

is there a form for submitting bribes or is it in-person only?

isaiah

On Feb 3, 11:49 am, Raffi Krikorian <ra...@twitter.com> wrote:

[BJ Weschke]

They do. They already generate a form authenticity token that you have
to submit back with the other relevant form data in order for your
submission to be authentic.

Zac Bowling wrote:
> Yes, what magic is this?
>
> I'm confused. It takes username and password but then uses OAuth?
>
> I wonder if they are injecting the username/password into the OAuth
> form on the page.
>
> Twitter should really randomize that page or require captcha or
> something.
>
> Zac Bowling
>
>
>
> On Wed, Feb 3, 2010 at 11:43 AM, Dewald Pretorius <dpr...@gmail.com
> <mailto:dpr...@gmail.com>> wrote:
>
> Raffi,
>
> Have you tried it? There is no OAuth flow. I.e., the user types in his
> Twitter username and password. That's it.
>
> If it is indeed using OAuth, does that mean that the background
> requesting of tokens when you have the Twitter credentials is now
> available? Meaning, I can also now use it to convert all existing
> Twitter accounts to OAuth in one fell swoop?
>
> On Feb 3, 3:02 pm, Raffi Krikorian <ra...@twitter.com

> <mailto:ra...@twitter.com>> wrote:
> > seesmic look, i believe, is using oauth talking to

> api.twitter.com <http://api.twitter.com>.

> >
> >
> >
> > On Tue, Feb 2, 2010 at 8:09 PM, Dewald Pretorius
> <dpr...@gmail.com <mailto:dpr...@gmail.com>> wrote:
> > > Raffi,
> >
> > > What's going on here?
> >
> > > Your credibility is at stake here. You've been telling us in many
> > > posts that new apps must use OAuth to get a source
> attribution, and
> > > only old grandfathered apps have source attribution with Basic
> Auth.
> >
> > > On Feb 2, 11:18 pm, Dewald Pretorius <dpr...@gmail.com

> <mailto:dpr...@gmail.com>> wrote:
> > > > At first I thought they must have changed the old Seesmic
> source to
> > > > Seesmic Look.
> >
> > > > But no.
> >
> > > > Here's a recent tweet from Seesmic:
> > >http://twitter.com/CathyBrooks/status/8570217879
> >
> > > > And here's a recent one from Seesmic Look:
> > >http://twitter.com/adamse/status/8565271563
> >
> > > > Seesmic Look uses Basic Auth.
> >
> > > > Does anyone else spot Mt Everest on this level playing field
> of ours?
> >
> > > > On Feb 2, 10:41 pm, Pedro Junior <v.ju.ni.o...@gmail.com

> <mailto:v.ju.ni.o...@gmail.com>> wrote:
> >
> > > > > *Seesmic Look is old?
> > > > > *
> > > > > -
> > > > > Pedro Junior
> >

> > > > > 2010/2/2 Lukas M�ller <webmas...@muellerlukas.de
> <mailto:webmas...@muellerlukas.de>>

> >
> > > > > > Only old apps can do this. New apps cannot use it.
> >
> > --
> > Raffi Krikorian
> > Twitter Platform Teamhttp://twitter.com/raffi

> <http://twitter.com/raffi>
>
>

[Michael Steuer]

That's awesome. Please let us know when you do!

Michael. 

[Nik Fletcher]

Hi Raffi

No worries - hope you're feeling better soon! If we can be of any help
with getting this out the door, please let me know!

Cheers

-N

--
twitter.com/nikf

[Aral Balkan]

This is awesome news. Kudos to your pragmatic approach with xAuth and
looking forward to your recursive delegation plans. Blogged it here:
http://aralbalkan.com/3057

I hope the UX community supports Twitter in this.

Aral

[raffi]

hi - i'm still a bit behind, but i've posted a sample workflow of how
identity delegation may work in oauth - this is definitely a RFC, so
please feel free to comment.

http://mehack.com/a-proposal-for-delegation-in-oauth-identity-v

[Jesse Stay]

So am I understanding this correctly that this means TwitPic won't have to ask for the user's Twitter username and Password any more and will instead be able to use OAuth and still provide an API to their users?  I'm trying to figure out if this is encouraging the use of the username and password or discouraging it.

[Raffi Krikorian]

twitpic will not have to ask for usernames and passwords anymore, nor will users have to actually authorize twitpic (as twitpic is not doing anything on their behalf -- it is just confirming their identity).

i think this is a "good thing".