I think Twitter’s OAuth-only Access is a Waste of Time

OAuth is also a huge pain for those "I just want to write a little Twitter API script in 5 minutes" things. To the extent that I've thought about writing a couple lately, but chose not to because I didn't want to deal with OAuth (and they were scripts I'd want to work in the future).<p>It seems like there should be some solution that lets me use basic auth for those little scripts. Maybe tell Twitter IP's from which I want to be able to use basic auth? It would be a bit of a pain since most people have dynamic IP's, but it would be better than nothing, and it would at least make it simple to run basic auth scripts on my VPS (which obviously has a static IP).

Twitter's OAuth is a total pain to implement.<p>If they had just upgraded to OAuth 2.0 like Facebook recently launched, I'd be happy.<p>Facebook's OAuth can be done in like 10-20 lines of code. Twitter's takes like 100 (in PHP+Curl).<p><i>(essentially OAuth 2.0 just relies on https SSL instead of directly encrypting tokens via code before they are sent)</i>

I assume xAuth was put in place for the apps that the user really only accesses directly when they need to change something - things like RSS -&#62; Twitter reposters. In this case an app may not be able to get in touch with a user to inform them they need to authenticate using OAuth. However this could be solved by having the developer email their users to tell them they need to re-authenticate.<p>Is there an actual reason to use xAuth over OAuth aside from having to put users through the trouble of re-authenticating? You have to have special permission from Twitter to use xAuth but who knows how easily they hand it out.

This makes me quite annoyed as well. Whenever I've asked Twitter about it, they simply say "The applications still use an OAuth access token to access the API, so it's still a secure authentication option." That's not the problem. The application may have to use the access token to use the API, but there's absolutely nothing stopping them from storing the password in their databases behind the scenes.

I'll grant you that xAuth is a little convoluted. With that said, Twitter deserves credit for being unprecedentedly accommodating and transparent during the transition away from basic auth. It is obviously in their best interest not to break applications, but this hasn't stopped other social networks <i>cough</i> from yanking the rug from underneath scores of apps with little to no warning.

I wrote a simple script to post an RSS feed that my university uses to twitter. (Actually, I hacked up Stammy's It currently has about 190 followers, but it used Basic Auth so it stopped working on Thursday.<p>Rather than switching to OAuth, I'm tempted to just write a mechanize script to make posts using the web interface. Has anybody tried this approach?

Its not just password security. A big part of oath is to control the API better. Twitter can now shut down misbehaving apps/sites by revoking their key.<p>Sure, you might just be able to create a new user and key if you get banned but this still gives them one more tool and a better picture of who is sending what over their network.

Could it be that Twitter is going the route of Apple? This raises the barrier to entry just enough to keep out developers who are just goofing around.<p>Otherwise, no, I don't see it. I know that I'm less inclined to write a little hack to work with Twitter without basic auth.

Seems like this author just doesn't realize how painful migrating to OAuth is for a service provider. Of course xAuth isn't a real security improvement to HTTP Basic. But it forces everyone to support auth that isn't inherently broken. So once Twitter stops receiving many xAuth requests, they can just turn it off.<p>The migration to OAuth 2 will be interesting though. All the existing clients will have the right kind of structure to plug in drop in a replacement flow, but I bet there will still be a bunch of complaints. "OMG I don't want to use HTTPS! This is so hard! Who cares that I can use curl to debug now, I want programming to be drag and drop." Haters gonna hate.

&#62;"I just want to write a little Twitter API script in 5 minutes"<p>In that case you would use Out-of-band/PIN Code Authentication. See <a href="http://dev.twitter.com/pages/auth_overview" rel="nofollow">http://dev.twitter.com/pages/auth_overview</a>.<p>For Pythonistas, my little Twitter API script uses tweepy.py. Thanks to <a href="http://jmillerinc.com/2010/05/31/twitter-from-the-command-line-in-python-using-oauth" rel="nofollow">http://jmillerinc.com/2010/05/31/twitter-from-the-command-li...</a> for the steps involved. As an exercise, you could scrape the required PIN with beautifulSoup or similar code to eliminate one step.

I don't see what the big deal is. It took me a few hours to update Factor's Twitter library for OAuth -- and that included writing the OAuth support library. The whole thing is only a couple of hundred lines of code.

I've created 2 small web apps that made use of Twitter and authenticated via oauth. It's been pretty simple for the most part. Since I develop in rails, I've had the pleasure of using twitter-auth for authentication.<p>Generally speaking though, this is a great move by Twitter in my opinion. I'm always a bit concerned when a 3rd party website asks for a username and password. In some cases I no longer provide credentials when I know a certain service provides oauth.<p>It might not be as easy for non-web based applications, but I'm sure things will improve in the long run.

I have a non-web, non-desktop based twitter app with a couple thousand users and just haven't had the time available to figure out how to get it doing newAuth.<p>xAuth seems like it'd work, but, as stated in the article, that involves me going through some hoops to get back to this level of security. woo.

For Java or Jython I use htmlunit in Facebook to simulate a browser in the login process, the same can be applied to twitter.

yep.I agree.overkill