On taking a mile, sacrificing your children and OAuth
For some time, I’ve been grumbling to anyone who would listen about the limitations in Twitter’s use of OAuth, particularly as more third-party services emerge using Twitter for authentication. The issue was covered by Tom Scott in a piece in The Guardian in December. Last night, Nicole Harris pointed me at a post by Zach Holman, OAuth Will Murder Your Children, which articulates the problem far better (and more amusingly) than I could ever manage. Zach says:
When I brought this up briefly over a few tweets a week ago, I got mostly reasonable agreement in response, mixed in with a few “but then it will be harder to develop applications”.
Tough shit. That’s why we have if statements.
This stuff is a big deal. If a user doesn’t want some superficial Kanye West app to read and download all of her private direct messages, she should be able to expressly restrict that.
It seems to me some of the services using Twitter for authentication don’t require even read access to your Twitter feed, let alone read/write access; they may want to read following/follower lists; in some cases, it may even be that all they need is confirmation that you are the owner of that Twitter account. As Zach highlights, the solution is for Twitter to offer a more granular permissions system and for apps to use that, requesting permissions appropriate to their function, rather than adopting an “I’ll take a mile” default position.
I currently take the approach of refusing to use services that request unnecessary permissions through Twitter OAuth. For apps like Twitter clients which I want to write data on my behalf, yes, it’s fine; but for many other cases, I see no reason why they need the permissions they request. If that means that I miss out on services like Lanyrd, which I don’t doubt may be useful to me, then so be it. I’m no longer willing to acquiesce in propping up an approach which is fundamentally broken - and could quite easily be fixed.
