Click here to show or hide the menubar.

Home >  Archive >  2010 >  September >  11

Previous / Next

What people don't understand about OAuth
By Dave Winer on Saturday, September 11, 2010 at 6:01 PM.

Here's a key point a lot of people don't get about OAuth. permalink

A picture named elephant.jpgWhen you grant an application access with OAuth, you are giving them the same power you would with your username and password.  permalink

The main difference is that instead of a password that was chosen by you, a secret key generated by Twitter gives them access to your account. They can still add or remove followers, send DMs on your behalf, or post tweets, or replies. When you give an app permission with OAuth they get to be you on Twitter, exactly as if you had given them your password. permalink

True, each app gets a different secret key, so you can de-authorize one app without de-authorizing all. That's the advantage that OAuth gives users. Sure, it has some value. But it's a convenience, it doesn't add security. permalink

There have been a lot of vague promises made that have led people to believe they are safer but that is not true. permalink

See also: Jon Udell on a cost of OAuth. permalink

RSS feed for Scripting News
This site contributes to the community river.

© Copyright 1997-2012 Dave Winer. Last update: Saturday, September 11, 2010 at 6:27 PM Eastern. Last build: 8/26/2012; 5:56:06 PM. "It's even worse than it appears."

RSS feed for Scripting News

Previous / Next