Twitter Moves to OAuth: The OAuthcalypse Is Nigh
Twitter is killing support for basic user authentication in third-party apps on Tuesday morning, the company says. Instead, Twitter will now require all third-party app developers to use OAuth for user authentication.
This is a planned move Twitter first announced in December, and the company has posted a help page on its developer site with some resources meant to ease the transition to OAuth.
The Twitter API team has been dialing down the number of requests an app can make using the basic authorization method. That number will hit zero at 8AM Pacific time Tuesday.
Some bloggers have given the event the catchy name, “OAuthcalypse” — a bit of a mouthful, but so is “user authentication protocol” — the implication being that when basic authentication is switched off, it will break old software and leave users in the dark. But since Twitter has given developers ample warning of the change, the switch will only lock out a small number of apps.
Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts.
In basic authentication, a website or app will say, “Hey, do you want to share whatever you’re doing here with your friends on Twitter? Give me your Twitter username and password and I’ll hook up your accounts.” By passing along your info, you’re giving that app or website unlimited access to everything in your Twitter account. Pretty dangerous, and not secure.
In OAuth authentication, the website or app will send you to Twitter where you sign yourself in, then Twitter will tell the website or app “Yeah, they are who they say they are.” The website or app only gains the ability to do certain things with your account — post, read, reply, search — while staying locked out from the more sensitive stuff.
The biggest advantage of OAuth is you don’t have to tell your Twitter password to anyone other than Twitter. Also, OAuth connections are token-based, so once a connection is established, you can change your Twitter password without having to re-enter it into the website or app.
The only disadvantage is that old apps that haven’t updated to use OAuth will stop working this week. All of the popular ones (Seesmic, Tweetdeck, etc.) have already updated.
Twitter has been recommending developers use OAuth as an authentication method for some time.
Almost all of the biggest social services, including Facebook and Yahoo, use OAuth to connect their social services together and to let users share photos, status updates and links in multiple places.
In fact, Facebook’s new Like buttons and its Social Graph API, launched in April, use the newer OAuth 2.0 to handle user authentication.
OAuth 2.0 is a simplified version of OAuth. Twitter plans to eventually move to OAuth 2.0 for its entire platform, and Tuesday’s switch is part of that broader transition.
Twitter was originally going to move to OAuth in June, but the transition was delayed because of the increased volume of tweets around the World Cup.
Real-time search link via Dave Winer