Current OAuth DM 'bug/hole' being reported? Any official response?
15 views
Skip to first unread message
kosso
Jun 10, 2011, 12:59:40 PM6/10/11
to Twitter Development Talk
It's come to a few people (and blogs') attention that apps
'advertised' as (on the OAuth login page) having R/W access only (ie:
no DM) are able to get DM access.
I'm assuming that since the change/restrictions were pushed back from
June1st to June 14th (or June 30th - depending on which official
announcement you read : here or on dev.twitter.com) that the text
saying what access level an app has should be taken with a pinch of
salt until the change is enforced.
Can some at Twitter please respond ASAP? People are calling foul at
TechCrunch and Mashable, etc.
Thanks
@Kosso
'advertised' as (on the OAuth login page) having R/W access only (ie:
no DM) are able to get DM access.
I'm assuming that since the change/restrictions were pushed back from
June1st to June 14th (or June 30th - depending on which official
announcement you read : here or on dev.twitter.com) that the text
saying what access level an app has should be taken with a pinch of
salt until the change is enforced.
Can some at Twitter please respond ASAP? People are calling foul at
TechCrunch and Mashable, etc.
Thanks
@Kosso
Matt Harris
Jun 10, 2011, 4:08:14 PM6/10/11
to twitter-deve...@googlegroups.com
Hi kosso,
Thanks for asking this question. If you go through the OAuth flow now you will notice that we have updated the text to better clarify what information applications will or will not have access to during this permission model transition period.
We've also released the other requested updates to the OAuth flow. There are:
* standardized the language on the screens and API responses to 'direct message' to better relate to the functionality and the API paths it's connected to.
* added support for the force_login parameter to the /authorize flow.
* added a link/button on the cancel page that calls the application callback with a denied parameter. This allows users who are in the web view to get back to your application without completing the authorization process.
* improved the OAuth screens on phones unable to support the new ones.
As a reminder, the enforcement date for the new permission is the 30th June. On this date all R/W tokens will lose the ability to read and delete direct messages.
Applications requiring DM access are encouraged to transition the requested permission level setting of their applications prior to the cut off date.
If you do not need to read or delete direct messages you do not need to update your application.
Updates and the FAQ for the new permission model can be found on our developer resources site:
and
Best,
--
Twitter developer documentation and resources: https://dev.twitter.com/doc
API updates via Twitter: https://twitter.com/twitterapi
Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list
Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
Reply all
Reply to author
Forward
0 new messages