Calling all Twitter tool providers to implement OAuth

01 Jun

OAuth has rightly gained lots of popularity these days and even given the current session fixation issues, I’m a strong fan of the delegated access control it promotes and helps implementing.

One of the prominent service providers offering OAuth based authentication is… Twitter. As more and more people are using Twitter as a personal and professional communication tool, I’m wondering why many of the additional third party services have not yet implemented OAuth based authentication. I don’t know about you but I’m getting slightly annoyed when an independent (often poorly designed) web site asks me to enter my full Twitter credentials. They all promise to not cache or store my username and password but still, it’s does not feel right. Some don’t even use an SSL encrypted HTTP connection for retrieving my secret user information.

Today I’d like to encourage all third party Twitter services to jump onto the OAuth bandwagon and offer their users with a secure and trusted way to delegate access control.

And here is my list of services that do not currently offer OAuth (and that I’m no longer going to use unless they do):

  • Twellow: Asks for username and password. No secure HTTP POST.
  • TweetLater: Asks for username and password. No secure HTTP POST.
  • MrTweet: Asks for username and password. No secure HTTP POST.
  • GroupTweet: Asks for username and password. No secure HTTP POST.
  • Twitter Scheduler: Asks for username and password. No secure HTTP POST.

I don’t want to finish this post without giving outstanding, positive examples of doing it right: Check out WeFollow and TwitterCounter.

I’ll update this list accordingly and will add service providers, that don’t do it right and move those that switch to OAuth off from this hall of shame.

Which 3rd party Twitter services are you using? Please submit via the comments!

Update: We have decided to publish the post over at The Next Web. You might want to follow the discussion there, too!

Tags: ,
1 reply
  1. Tom says:

    I think HootSuite should be on the list. The first thing you see after signing up is a form asking for Twitter login and password. It was the last thing I saw, as I closed the browser window.

    Another positive example, though: CoTweet appears to be doing it right. While they were using the password anti-pattern before, now they even have a button to convert an existing password-based account to an OAuth-based one.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2017 by Ralf Rottmann.