Great article on OAuth and how Twitter does it “wrong”

Earlier today, passed on by Mikkel on Twitter is an excellent article on OAuth.  Mikkel has created an abstracted view part for use in his TwitNotes that does the OAuth work for you.  As Mikkel outlines, he has gone through the same struggles as Ryan did in his article on Ars.  Even though the article has some great visual graphics, don’t think its not comprehensive.  The article goes deeply into the problem at hand and even offers some suggestions how Twitter could change its OAuth flow like LinkedIn and Google.

Even in the context of server-to-server authentication, OAuth should be viewed as a necessary evil rather than a good idea. It should be approached with extreme trepidation and the high level of caution that is warranted by such a convoluted and incomplete standard. Careless adoption can lead to serious problems, like the issues caused by Twitter’s extremely poor implementation.


Is xAuth secure?

I am not a security expert and I am just starting to get into oAuth and the different ways social sites can be cross authenticated with social applications.  I have played with Facebook and Twitter using oAuth which work great for my blog other sites.

xAuth is interesting because it is basically the same thing as oAuth but skips the request_token and authorize steps.

xAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. See this for more details. – Twitter Documention

The problem, from what I know is, the “request_token and authorize” steps seem pretty important. This is where the user basically accepts the application requesting access.

Why is this cool? Well, imagine an on premise application (one that is behind the firewall) that wants to integrate with Twitter, LinkedIn or Facebook. It simply won’t work since none of those applications can call back into the site behind the firewall. xAuth would solve this.

Now, if an application is well known and the key is truly kept secret then I guess xAuth could be used. With a world of “leaks” and lack of employee trust, I simply can not see xAuth being a viable way to achieve authentication.