Saturday, July 25, 2009

Making the case for shared authorization in twitter

Currently there are a few methods available to authenticate users on 3rd party sites via twitter, I'd like to make a strong case for two of these.

  • The simplest solution is for a 3rd party site to ask for your twitter username and password so that they can access the account via the twitter API and do whatever is necessary, e.g. post messages on your behalf. This will work until you change your password.
  • The second solution is to ask for the username only, have you follow them and send you a DM with a secret token that you can enter on their web page. This is a rather smart solution if the site has to check that you are actually who you claim to be, but the site doesn't get access to the account via the twitter API and cannot post messages or change settings. For sites that gather statistics this may be sufficient nonetheless.
  • The third solution is to redirect the page to a twitter API URL that then asks you to log in and gives the site feedback that the account has logged in. This means that the site cannot keep your credentials and e.g. post messages, but it can access data from your account after the login. Due to the way a browser caches login/passwords, you cannot logout unless you close your browser. However it may be possible to logout by redirecting to a logout URL (I haven't checked if that works with twitter)
  • The fourth solution is to OAuth, this basically means that the 3rd party site sends a challenge to which returns with a authentication reply after it has asked you if you want to allow the 3rd party site to access your account after you have logged in. This means that the site can access your account and even post messages with knowing the password, since the site can keep the authentication token even after you have logged out. When you do not want a service to access your account anymore, you can block the application in the twitter settings. However most sites drop the authentication when their session expires, so you will be asked the next time for confirmation again.

Depending on what services a site offers, the choice of each of the methods makes sense, I would prefer sites that do not require the user to disclose the account password, however some very prominent sites currently do (e.g.

When using a 3rd party site that asks you for your password, you have one important issue: if you are using a tool for phishing protection like pwdhash, the password will not be the same on the alternate site, so you have to calculate the pw hash in advance and enter it manually, the same would work with OAuth since the password is only entered on the actual site.

No comments: