SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Chirp 2010: Too many secrets, but never enough: OAuth at Twitter

by Developer Advocate at Twitter on Apr 16, 2010

  • 12,609 views

Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.

Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.

Statistics

Views

Total Views
12,609
Views on SlideShare
12,493
Embed Views
116

Actions

Likes
19
Downloads
90
Comments
10

8 Embeds 116

http://www.slideshare.net 63
http://www.labnol.org 39
http://sarahintampa.tumblr.com 5
http://localhost 4
http://www.linkedin.com 2
http://cliqset.com 1
http://www.lmodules.com 1
http://www.twylah.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

110 of 10 previous next Post a comment

  • markokukovec Marko Kukovec, Razvojni inženir at Inova IT If you want to convert '.key' presentation file to '.pdf' or '.ppt' you can use online service at http://www.zamzar.com/ for this. 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • Iroiso Iroiso Ikpokonte at Iroiso Ikpokonte Read this as soon as you can. 2 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa Finally, there is no means for me to explain to the end user what information or access is granted to the end user when joining accounts.

    This creates a few big problems, policy makers have to decide on a catch all solution which either favors its users or people developing for it. Second, I have no means as a developer to explain what the connection is for. I am given a section when registering an application to explain what it is, and even that is absent from the 'connect' splash page.

    I would really prefer it if there was a permission matrix which allows a developer to specifically delare which functionalities are reqested for usage. And in turn that same permission matrix can be used to explain to the end user before they connect, exactly what connecting is all about.

    No Client wants to authenticate with a third party application if it is going to start re tweeting to everybody else, or posting their test scores without their permission, or erasing thier followers, or sending DMS on thier behalf. I (as a tweeter) want to know what a strange 3rd party account website wants access to my account for. The problem seems to be partially resolved on a website like the Huffington past when it says they will post to your timeline, but I think it should be clearer, as in the future, I would hope there would be a real means to access the users email address, and a clear indication to the end user that its something being requested, and I as a developer have the option to provide a brief description as to what the connection is about, plus expanding the app registration to a fuller matrix, beyond the read and write dual option it currently is.
    3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa Slide 13 is useful, it should be on the Twitter instruction page. 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa When providing directions, keep people guessing, it's a sure way to make the standard fail... Give them 3 generic keys, tell them to hash with the 'secret one', give the others cute names like consumer. Force them to encrypt with public keys like 'Anonymous', reveal the algorithm in the get vars, advise POST over https, but allow GET over http, claim it's the future...

    Guys, this is clearly the worst attempt at a standard I have ever seen, sorry...

    It's not a standard, it's an advisory, and nobody seems to understand it's purpose, especially anyone writing the 'Help' manuals...
    3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa What's on the horizion? a scraper... 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa If you think anyone in thier right mind is going to make it past that insanely complex instruction set written in the 'Help' manual, you could be losing out to FB which was quite literally a plain english 1 hour hour walk through.

    Whoever was paid to write that 'Help' manual, has no interest in helping anyone...
    3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • MrKappa MrKappa Hey, I'm sorry, but what should be plain english is obsfucated beyond all belief...

    Step 1, Step 2, Step 3 is actually, 'well, let me start with why this base 54 encoded string should be passed over POST, of course we'll take it over HTTP and GET but f#!k you, listen to why this SHA-1 HASH has anything to do with security...'

    Sorry guys, I can't see why anything which is free, as in no cost to use should be this difficult to understand. It's a joke...
    3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • samwize Junda Ong, Mobile Lead at Hoiio Just to be certain, are you saying OAuth is too complex, compared to xAuth? 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • etorrie etorrie Somewhat difficult to understand without speaker notes.. 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Chirp 2010: Too many secrets, but never enough: OAuth at Twitter Chirp 2010: Too many secrets, but never enough: OAuth at Twitter Presentation Transcript