Ars Technica has an interesting article on Twitter’s now-mandatory OAuth implementation. The article describes the OAuth system and challenges for implementors pretty well, so I won’t rehash them here. I wrote an implementation of OAuth for a previous employer and indeed ran into many of the challenges described in the article, particularly around how to protect the Consumer Key and Consumer Secret in client software that was distributed to end-users.
In the end, it was very clear that OAuth was a good solution to the problem it tackles, allowing an end user of a service to delegate access to a his own online resources at that service to a third-party without sharing his credentials with that third-party, but for server side communication. We were shipping a Flash-based client that embedded Consumer Keys and Secrets, but ultimately determined we couldn’t rely on them alone as any sort of guarantee of what service “consumer” was asking for access to ours on behalf of a mutual end-user, for the exact reasons discussed in the article. It’s a shame that Twitter made these poor choices that will probably hamper developers of Twitter clients and the service’s end-users alike, and likely be a (undeserved) hit to OAuth’s reputation in the developer community.
Good to see Ars digging deep on such a technical issue and not shying away from writing about it.