oAuth and desktop apps
1,039 views
Skip to first unread message
Aral Balkan
Feb 17, 2009, 1:17:15 PM2/17/09
to Twitter Development Talk
Hey @al3x et. al.,
What's the official stance towards oAuth and desktop apps: will all
apps, *including desktop apps* be required to implement oAuth?
I'm asking 'cos of the old usability chestnut.
And, at which point do you actually begin to trust an app that you've
installed onto your system with all sorts of other rights like
deleting files off of your machine or sending info from your machine
to the Net. At which point does user beware come into it?
The real benefit of oAuth, as I see it; being able to revoke access,
is as simple as uninstalling the app. Then again, of course, the app
could send your details to a site. But, again, this is a desktop app
you've installed -- if it's that malicious, it could be doing all
sorts of trojany things that are far worse.
Thoughts?
Thanks,
Aral
What's the official stance towards oAuth and desktop apps: will all
apps, *including desktop apps* be required to implement oAuth?
I'm asking 'cos of the old usability chestnut.
And, at which point do you actually begin to trust an app that you've
installed onto your system with all sorts of other rights like
deleting files off of your machine or sending info from your machine
to the Net. At which point does user beware come into it?
The real benefit of oAuth, as I see it; being able to revoke access,
is as simple as uninstalling the app. Then again, of course, the app
could send your details to a site. But, again, this is a desktop app
you've installed -- if it's that malicious, it could be doing all
sorts of trojany things that are far worse.
Thoughts?
Thanks,
Aral
Alex Payne
Feb 17, 2009, 3:46:25 PM2/17/09
to twitter-deve...@googlegroups.com
Eventually, once we've got user experience solutions that work for the
80% case, we'll be moving off of Basic Auth entirely. But not before
desktop app developers are happy. It's going to take some
experimenting, but I'm sure that we can find some good solutions
between the smart folks in this community and those in the greater
OAuth/web standards community.
80% case, we'll be moving off of Basic Auth entirely. But not before
desktop app developers are happy. It's going to take some
experimenting, but I'm sure that we can find some good solutions
between the smart folks in this community and those in the greater
OAuth/web standards community.
OAuth doesn't prevent evil folks from shipping Twitter apps that might
be trojans, but it does allow us here at the Mother Ship to revoke
their ability to talk to the Twitter API. That means less spam/"SEO"
tools, and a short time-to-live for applications that are discovered
to be malicious.
>
> Thoughts?
>
> Thanks,
> Aral
>
--
Alex Payne - API Lead, Twitter, Inc.
http://twitter.com/al3x
Aral Balkan
Feb 17, 2009, 4:51:23 PM2/17/09
to Twitter Development Talk
Hey Alex,
Another thing I was thinking about was specifically for AIR-based apps
(and I guess, to a larger degree, any desktop app) with regards to the
consumer secret.
If that's included in the desktop app, especially in a SWF for AIR
apps, it's basically open to the world. So another app could use the
consumer secret.
Based on your response, I'm assuming that any new desktop client
should implement oAuth as the only means of auth since the switch will
definitely happen at some point.
Thanks,
Aral
On Feb 17, 8:46 pm, Alex Payne <a...@twitter.com> wrote:
> Eventually, once we've got user experience solutions that work for the
> 80% case, we'll be moving off of Basic Auth entirely. But not before
> desktop app developers are happy. It's going to take some
> experimenting, but I'm sure that we can find some good solutions
> between the smart folks in this community and those in the greater
> OAuth/web standards community.
>
> OAuth doesn't prevent evil folks from shipping Twitter apps that might
> be trojans, but it does allow us here at the Mother Ship to revoke
> their ability to talk to the Twitter API. That means less spam/"SEO"
> tools, and a short time-to-live for applications that are discovered
> to be malicious.
<snip>
Another thing I was thinking about was specifically for AIR-based apps
(and I guess, to a larger degree, any desktop app) with regards to the
consumer secret.
If that's included in the desktop app, especially in a SWF for AIR
apps, it's basically open to the world. So another app could use the
consumer secret.
Based on your response, I'm assuming that any new desktop client
should implement oAuth as the only means of auth since the switch will
definitely happen at some point.
Thanks,
Aral
On Feb 17, 8:46 pm, Alex Payne <a...@twitter.com> wrote:
> Eventually, once we've got user experience solutions that work for the
> 80% case, we'll be moving off of Basic Auth entirely. But not before
> desktop app developers are happy. It's going to take some
> experimenting, but I'm sure that we can find some good solutions
> between the smart folks in this community and those in the greater
> OAuth/web standards community.
>
> OAuth doesn't prevent evil folks from shipping Twitter apps that might
> be trojans, but it does allow us here at the Mother Ship to revoke
> their ability to talk to the Twitter API. That means less spam/"SEO"
> tools, and a short time-to-live for applications that are discovered
> to be malicious.
Alex Payne
Feb 17, 2009, 5:02:08 PM2/17/09
to twitter-deve...@googlegroups.com
Yes, we need a solution for shipping desktop and open source apps. But
indeed, new apps should definitely look towards OAuth.
indeed, new apps should definitely look towards OAuth.
--
Aral Balkan
Feb 17, 2009, 5:29:30 PM2/17/09
to Twitter Development Talk
Would be happy to take part in a brainstorm on that and contribute
however possible.
The UX for setting up multiple accounts on a desktop app where there's
a jarring context change from desktop to browser for each (inc.
possibly logging out/in to different accounts on Twitter) just scares
me.
Aral
On Feb 17, 10:02 pm, Alex Payne <a...@twitter.com> wrote:
> Yes, we need a solution for shipping desktop and open source apps. But
> indeed, new apps should definitely look towards OAuth.
<snip>
however possible.
The UX for setting up multiple accounts on a desktop app where there's
a jarring context change from desktop to browser for each (inc.
possibly logging out/in to different accounts on Twitter) just scares
me.
Aral
On Feb 17, 10:02 pm, Alex Payne <a...@twitter.com> wrote:
> Yes, we need a solution for shipping desktop and open source apps. But
> indeed, new apps should definitely look towards OAuth.
atebits
Feb 17, 2009, 6:03:55 PM2/17/09
to Twitter Development Talk
Ditto here. How should we get this ball rolling?
Alex Payne
Feb 17, 2009, 6:58:52 PM2/17/09
to twitter-deve...@googlegroups.com
Start a Google Doc or a wiki, maybe?
--
Aral Balkan
Feb 18, 2009, 4:39:02 AM2/18/09
to Twitter Development Talk
Set up an initial page on the Twitter Fan Wiki (tried to get a page on
the API wiki but it seems to be read-only):
https://twitter.pbwiki.com/oauth-desktop-discussion
Put some initial thoughts on there but please feel free to modify
layout, content, etc. as you wish.
Aral
the API wiki but it seems to be read-only):
https://twitter.pbwiki.com/oauth-desktop-discussion
Put some initial thoughts on there but please feel free to modify
layout, content, etc. as you wish.
Aral
atebits
Feb 18, 2009, 6:48:29 PM2/18/09
to Twitter Development Talk
Thanks for setting up that wiki, I just added a link to some thoughts
I had on the matter (dup'd here: http://blog.atebits.com/2009/02/fixing-oauth/
)
I had on the matter (dup'd here: http://blog.atebits.com/2009/02/fixing-oauth/
)
Cameron Kaiser
Feb 18, 2009, 7:27:03 PM2/18/09
to twitter-deve...@googlegroups.com
> Thanks for setting up that wiki, I just added a link to some thoughts
I'm putting some of my thoughts on there too. Hopefully others will join in.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Of course, what I really want is total world domination. -- Linus Torvalds -
Blaine Cook
Feb 19, 2009, 7:39:46 AM2/19/09
to Twitter Development Talk
Please feel free to bring this discussion to the OAuth list, either at
the IETF (where we are currently fielding last-call for the IETF
charter) at https://www.ietf.org/mailman/listinfo/oauth or the OAuth
users' group, http://groups.google.com/group/oauth/
I'd also recommend checking out some very successful desktop
applications that use OAuth or OAuth-like flows, including Netflix on
the XBox, iMovie's YouTube integration, and any desktop Flickr
uploaders. In particular, engaging the developers of those
applications and the developers at NetFlix, YouTube, and Flickr, may
produce insights from running production services of this type. All
the relevant parties are on the OAuth lists, but may need some coaxing
to comment. ;-)
cheers,
b.
On Feb 19, 12:27 am, Cameron Kaiser <spec...@floodgap.com> wrote:
> > Thanks for setting up that wiki, I just added a link to some thoughts
>
> I'm putting some of my thoughts on there too. Hopefully others will join in.
>
> --
> ------------------------------------ personal:http://www.cameronkaiser.com/--
> Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com
the IETF (where we are currently fielding last-call for the IETF
charter) at https://www.ietf.org/mailman/listinfo/oauth or the OAuth
users' group, http://groups.google.com/group/oauth/
I'd also recommend checking out some very successful desktop
applications that use OAuth or OAuth-like flows, including Netflix on
the XBox, iMovie's YouTube integration, and any desktop Flickr
uploaders. In particular, engaging the developers of those
applications and the developers at NetFlix, YouTube, and Flickr, may
produce insights from running production services of this type. All
the relevant parties are on the OAuth lists, but may need some coaxing
to comment. ;-)
cheers,
b.
On Feb 19, 12:27 am, Cameron Kaiser <spec...@floodgap.com> wrote:
> > Thanks for setting up that wiki, I just added a link to some thoughts
>
> I'm putting some of my thoughts on there too. Hopefully others will join in.
>
> --
> ------------------------------------ personal:http://www.cameronkaiser.com/--
Chris Messina
Feb 20, 2009, 12:39:33 AM2/20/09
to Twitter Development Talk
To add to Blaine's comments, we would love to see folks with general
ideas or thoughts about improving OAuth's user experience contribute
to the existing OAuth wiki: http://wiki.oauth.net (also a PBWiki) or
sharing your thoughts on the OAuth mailing list(s).
The iMovie to YouTube flow that Blaine alluded to can be seen here:
http://flickr.com/photos/factoryjoe/sets/72157601300877805/
This slidedeck gives an overview of OAuth and demonstrates the Fire
Eagle flow:
http://www.slideshare.net/factoryjoe/oauth-ftw-presentation
Here's how Pownce dealt with this on the iPhone:
http://factoryjoe.com/blog/2008/07/11/oauth-for-the-iphone-pownceapp/
Looking forward to your feedback!
Chris
On Feb 19, 4:39 am, Blaine Cook <bla...@twitter.com> wrote:
> Please feel free to bring this discussion to the OAuth list, either at
> the IETF (where we are currently fielding last-call for the IETF
> charter) athttps://www.ietf.org/mailman/listinfo/oauthor the OAuth
> users' group,http://groups.google.com/group/oauth/
ideas or thoughts about improving OAuth's user experience contribute
to the existing OAuth wiki: http://wiki.oauth.net (also a PBWiki) or
sharing your thoughts on the OAuth mailing list(s).
The iMovie to YouTube flow that Blaine alluded to can be seen here:
http://flickr.com/photos/factoryjoe/sets/72157601300877805/
This slidedeck gives an overview of OAuth and demonstrates the Fire
Eagle flow:
http://www.slideshare.net/factoryjoe/oauth-ftw-presentation
Here's how Pownce dealt with this on the iPhone:
http://factoryjoe.com/blog/2008/07/11/oauth-for-the-iphone-pownceapp/
Looking forward to your feedback!
Chris
On Feb 19, 4:39 am, Blaine Cook <bla...@twitter.com> wrote:
> Please feel free to bring this discussion to the OAuth list, either at
> the IETF (where we are currently fielding last-call for the IETF
> charter) athttps://www.ietf.org/mailman/listinfo/oauthor the OAuth
Reply all
Reply to author
Forward
0 new messages