Twitter and The Case Against oAuth

Aug 20
Posted on August 20, 2009 10:00 in Problems & Solutions, Software

So I’m a big supporter of OpenID and oAuth, but sometimes I have to agree with big companies like Google in the fact that these technologies are really confusing to end users. The problem is that people don’t understand these technologies and while they shouldn’t it does allow for some people to take advantage of the less tech savvy amongst us.

Take Twitter for example, who fairly recently finally added oAuth to their product so that we now don’t have to give out our username and password to every funny little Twitter tool. Twitter’s implementation has no granularity in the oAuth authorisation which leads to people signing away full read/write permission to their account when they use their Twitter to log in to a game.

Yes, you read that right: developers use Twitter’s oAuth to let people authenticate themselves. It seems not everyone understand the difference between authentication and authorisation. This obviously leads to some developers abusing this new found power to do evil, much like the early Facebook App developers used the permissions they got from you to spam all your friends with invites to come and join that app you looked at once.

I agree that oAuth is a great technology, but inherently it’s going to get a bad name when companies like Twitter don’t implement it correctly. We could go and educate the user, but I think that’s an impossible undertaking that would better be avoided. oAuth (and actually OpenID similarly) faces a real problem when it comes to user experience that needs to be solved. I guess I’m not the first one talking about this but I’m wondering if there even is a solution.

  • http://www.ourgeeklife.com James Bowman

    Great article. Thank you for putting your thoughts out there. One question: What did Facebook do to curb the abuse?

    • http://cristianobetta.com Cristiano Betta

      Very good question! Facebook had a similar problem when they initially released apps. As an app developer you could ask for permission as the user authorised the application. The communication in this was a bit vague which lead to a lot of app developers requesting all permissions even if they didn’t need them, and people giving these permissions without thinking about them properly.

      In the new version of Facebook apps (little more than a year old now) the basic authorisation is more like an authentication. Most of the extra cool permissions (right to send emails, right to post status updates, etc) need to be extra explicitly requested. We at Nudge Social Media always like to request these permissions as close to the event where you need these permissions, giving the user a perfect context of why you are asking the permission to i.e. “upload a photo to their albums”.

  • http://www.ourgeeklife.com James Bowman

    Great article. Thank you for putting your thoughts out there. One question: What did Facebook do to curb the abuse?

    • http://cristianobetta.com Cristiano Betta

      Very good question! Facebook had a similar problem when they initially released apps. As an app developer you could ask for permission as the user authorised the application. The communication in this was a bit vague which lead to a lot of app developers requesting all permissions even if they didn’t need them, and people giving these permissions without thinking about them properly.

      In the new version of Facebook apps (little more than a year old now) the basic authorisation is more like an authentication. Most of the extra cool permissions (right to send emails, right to post status updates, etc) need to be extra explicitly requested. We at Nudge Social Media always like to request these permissions as close to the event where you need these permissions, giving the user a perfect context of why you are asking the permission to i.e. “upload a photo to their albums”.

  • http://reinier.zwitserloot.com/ Reinier Zwitserloot

    Possibly there just is no true educating the public, they just have to form a basic trust with their app, and they need to continue to understand that an OAuth authorization is still a fairly big deal.

    In such a world, OAuth is a good solution: I no longer need to store your raw, unhashed twitter password in my twitter-using-apps DB, which might get lost, and which won’t sync up when you change your password.

    If OAuth is being hyped primarily because it allows you to give away some rights but not others, then twitter is a bad thing, but I don’t see so much of that myself.

  • http://reinier.zwitserloot.com/ Reinier Zwitserloot

    Possibly there just is no true educating the public, they just have to form a basic trust with their app, and they need to continue to understand that an OAuth authorization is still a fairly big deal.

    In such a world, OAuth is a good solution: I no longer need to store your raw, unhashed twitter password in my twitter-using-apps DB, which might get lost, and which won’t sync up when you change your password.

    If OAuth is being hyped primarily because it allows you to give away some rights but not others, then twitter is a bad thing, but I don’t see so much of that myself.

  • Pingback: OAuth, Google’s new password system | Zavanix