One of the things we've been saying about OAuth all along is that we'll be improving the desktop application experience. Well, the time is here for the first re-visit. As part of out changes for OAuth version 1.0a  I have been looking at how this is going to work and there is going to need to be a change that will not be backward compatible. Some of this is already coded and waiting to go, and some of it is in-progress. I expect we will deploy this the end of next week or the beginning of the following one in order to allow you to have a minimum of 7 days to make changes. These only effect desktop applications so the majority of OAuth applications are not affected. Here are the expected changes:
1. If your application is registered as a desktop application callbacks will not be supported.
Workaround: Visit your application details page to change the application type and provide a default callback URL.
Details: Dynamic callbacks are currently disabled for all applications. With changes for 1.0a  will re-enable dynamic callback support but applications registered as 'desktop' will not support this. When requesting a request token the you will get an error saying that callbacks are not supported in desktop applications. This is to prevent stealing of tokens created with a PIN (see #2) by webapps re-using the freely available desktop consumer key and secret.
2. If your application is registered as a desktop application there will be a PIN the user must enter in your application
Details: In the current code desktop applications end in a dead-end page. This new flow will give the user a PIN that they enter in the application and that must be provided to swap a request token for an access token. This will help secure tokens for desktop applications since the security of the consumer key and secret cannot be relied upon.
Feedback: We are planning to make this a required step but I am open to discussion if anyone feels there is a compelling case for desktop applications without a PIN. Email me directly with feedback.
3. If your application is registered as a desktop application you will not be able to use the 'Sign in with Twitter' functionality.
Details: 'Sign in with Twitter' requires a callback URL which will not be allowed per #1 above.
We're working to make sure we provide OAuth interfaces wherever possible. Desktop applications was a definite problem that needed some fixing. Close behind that is mobile web which is currently being looked at by a group reviewing all of m.twitter.com
. If you have any objections to the changes above, or some reason that you don't think it will work, please feel free to email me directly.
– Matt Sanford / @mzsanford