
Twitter OAuth Beta Has Started - This is how it looks - madmotive
http://blog.inuda.com/2009/02/12/never-share-your-twitter-password-again/
======
jballanc
The real story here is that OAuth has much wider and far reaching implications
than just Twitter apps. I think we've reached the high-water mark of the
number of logons and passwords we'll need to keep track of. I see a future not
that far off where everything from Credit and ATM transactions to your
Facebook and HN logins are all handled by OAuth.

~~~
jonursenbach
At the adoption rate it's going, I can see Facebook Connect replacing a high
amount of "secure" websites like bank accounts within the next few years; and
that's unfortunate.

~~~
AndrewDucker
I can't see banks handing over authentication to _anyone_.

------
amichail
It doesn't look like there's a mode where the the app would not get any access
to private data.

Why would users trust an app that has access to their direct messages?

~~~
sh1mmer
Well Twitter only has 2 modes, public and protected.

An app can access anything public through the existing API anyway without
authentication.

The only difference here is that you can allow apps your trust to access your
private data (or functions, like sending tweets) without giving out your
password. As such it's a big step in the right direction.

Twitter apps have been one of the worst offenders for the username/password
anti-pattern because of Twitter's use of HTTP-Auth for the API.

~~~
amichail
There are benefits to having the mode I describe:

* your app can perform more API calls without IP-based rate limiting (which can be a real problem when using the Google App Engine due to shared IPs between apps)

* you can be sure that the user is who he/she claims to be (without a DM hack), which is important for some apps

------
madmotive
An extra point. Apps can choose to be read only our read/write when they are
set up. Will be interesting to see how many opt to be read only.

~~~
sh1mmer
Unless Twitter change their rate limiting model it makes sense to be be read-
only still. This allows you to tap into the 100reqs/hr Twitter allocates to
users rather than using up the IP rate limiting for generic requests.

