OAuth is a great way to sidestep the dilemma of having to hand over passwords to third-party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs.
But while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.
We’ve looked at the issue in the past, particularly with regard to Twitter’s transition to OAuth, which broke countless small scripts. The good news is that OAuth 2.0 is less complex than its predecessor and removes much of the headache for small developers. Unfortunately, OAuth 2.0 isn’t widely adopted yet, and it’s not quite ready for prime time.
But there is a solution for Twitter. SuperTweet was created by developer David Beckemeyer. The service sits between your script and Twitter, where it does the heavy lifting of OAuth for you. Even better, you don’t have to hand over your Twitter password to SuperTweet — instead, you create a password on the site, approve SuperTweet to access your Twitter account and then connect your script to SuperTweet.
The service isn’t meant for full-blown apps, nor does it support commercial uses. But for individuals and non-profits without the development resources to make the switch to OAuth 2.0, it can bring those simple Twitter scripts back to life.
Of course using SuperTweet means adding another potential failure point between your script and Twitter, but if you can live with that, using SuperTweet is easier than wading into OAuth’s waters.
OAuth is a great way to sidestep the dilemma of having to hand over passwords to third party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs. But, while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.
OAuth assumes a particular use case — you are using a third party service that wants to access your data on some other service. Rather than handing over your username and password, OAuth has you log in to, for example, Twitter and then authorize, for example, Twitterific to access your data.
Where OAuth adds complexity is in the small developer use case, where “your app” and the user of your app are in fact just you — for example, a simple script that lives on your server, grabbing your Twitter stream and storing it on your own server. It’s much, much more difficult to hack up such a script using OAuth than it is with simple password authentication. The barrier to experimentation is astronomically higher with OAuth than with basic authentication.
As Microsoft’s Jon Udell points out on the O’Reilly Radar blog, this tradeoff — protected passwords at the expense of making development more complex — means that hacking together an quick experiment is now much more difficult.
Protecting passwords is good, and no one is arguing otherwise. But where OAuth fails is focusing on the application accessing data at the expense of the individual experimenting with their own data.
In the end, OAuth 2.0 may help ease that pain by offering a cryptography-free option for authentication that doesn’t require half a dozen redirects to get your own data. OAuth 2.0 is already being implemented by Facebook and Twitter, but it isn’t widely implemented on other sites, and it’s still a moving target — as evidenced by initiatives like OpenID Connect and step2, which extend OAuth by adding in elements from OpenID. In the mean time, hacking together a script to access Twitter or other popular OAuth-based APIs is no longer just a matter of quick, late night inspiration.
When you’re signing up for a Google account, there’s now a new button you can click on that says “Verify by signing in at Yahoo.com.” Click it, and you’re sent to Yahoo, where you’re asked to allow Google and Yahoo to link up your accounts.
Tuesday’s development marks Google’s first attempt to be an OpenID relying party — a website that accepts OpenID logins from third-party providers. Also, this only works for Yahoo users for now, but Google says it’s going to start offering support for other OpenID providers soon.
On the surface, this may look like an attempt by Google to poach users away from Yahoo by making it even easier for them to switch. In fact, it’s a real-world example of the type of interoperability that OpenID has been promising to bring to the open web for some time.
Twitter is killing support for basic user authentication in third-party apps on Tuesday morning, the company says. Instead, Twitter will now require all third-party app developers to use OAuth for user authentication.
This is a planned move Twitter first announced in December, and the company has posted a help page on its developer site with some resources meant to ease the transition to OAuth.
The Twitter API team has been dialing down the number of requests an app can make using the basic authorization method. That number will hit zero at 8AM Pacific time Tuesday.
Some bloggers have given the event the catchy name, “OAuthcalypse” — a bit of a mouthful, but so is “user authentication protocol” — the implication being that when basic authentication is switched off, it will break old software and leave users in the dark. But since Twitter has given developers ample warning of the change, the switch will only lock out a small number of apps.
Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts.
In basic authentication, a website or app will say, “Hey, do you want to share whatever you’re doing here with your friends on Twitter? Give me your Twitter username and password and I’ll hook up your accounts.” By passing along your info, you’re giving that app or website unlimited access to everything in your Twitter account. Pretty dangerous, and not secure.
In OAuth authentication, the website or app will send you to Twitter where you sign yourself in, then Twitter will tell the website or app “Yeah, they are who they say they are.” The website or app only gains the ability to do certain things with your account — post, read, reply, search — while staying locked out from the more sensitive stuff.
Cliqset completed a significant upgrade to its social sharing website Wednesday.
The site now fully integrates Twitter, and it has refined its aggregation system so you get a much more streamlined, easy-to-digest view of your friends’ activities across multiple social sites.
There are literally dozens of changes, both visible and behind-the-scenes, in the new Cliqset. We’ve been testing out the new version (the company is half-jokingly calling it “Cliqset 2.0″) since midday Tuesday, and we’ve found the site has been given a significant boost that makes its aggregation features both more usable and more useful. The changes should be appearing for everyone on Cliqset sometime Wednesday morning.
Cliqset is a social network in itself, complete with followers, status updates and media sharing. But its sweet spot is as an aggregation service. It funnels all of the posts from the people you follow on the web into one single stream. It pulls in Twitter tweets, photos from your Flickr contacts, posts from your Tumblr network, updates from your friends on Facebook, Google Buzz, Yelp, YouTube, Google Reader — Cliqset connects to over 80 services in all.
Here’s one really cool new innovation: When you’re following somebody across multiple social networks and aggregating their posts in one place, you’re going to get a lot of duplicates. The new Cliqset filters out those dupes.
“If somebody’s on three different networks, we’ll know that,” Cliqset co-founder Darren Bounds tells Webmonkey. “We’ll consolidate their posts, de-duplicate the posts, refine them.”