Friday, May 20, 2011

twitter - this application will be able to - oauth

Twitter opened up to developer applications several years back.

What has happened in 2011 is the authorization mechanism has been made more granular.


Above is a type of authorization I will call 'read only', now for a more clumsy example:


Both examples have in the 'will be able to' section:
  • Read Tweets from your timeline
  • See who you follow, and follow new people.
The second example is NOT 'read only' as it has extra access which allows:
  • Update your profile
  • Post Tweets on your behalf

Friend of Follow or other types of 'read only' services:

If you go to use a Friend or Follow type service that helps you understand who you follow back and suchlike, then there should only be 2 items in the 'will be able to' section.

What these sort of services offer is a query of your friend list and some analysis on that friend list.

There is no need for a friend analysis service to have 'Update your profile' or 'Post Tweets on your behalf'

So if you go to such a service and the section will be able to shows 4 items:

  • Read Tweets from your timeline
  • See who you follow, and follow new people.
  • Update your profile
  • Post Tweets on your behalf
...then do NOT authorize it!

Instead check the 'About' information or terms of service, and ask the developer why they feel they need 'Update your profile' access, or 'Post Tweets on your behalf' access.

The developer will probably contact you back and say that they have fixed it and it was an oversight. You might even get a thank you :)


How did this happen - is the developer doing something bad?

Probably not.

Back when the api was first launched, Twitter probably did not have the flexibility and control that it has today.

Early apps (written more than a year ago) plugged into an authorization system, which likely did not distinguish between the 2 item and 4 item lists you are shown today.

Rather than just shut down those early apps, Twitter now showing you the item lists is probably hoping your interaction will gee up the developers to modernize to the new api and only request the lesser privileges.

Shouldn't be a massive change for developers, but will require a little bit of work.

If a year from now you sign up to a new app service and that shows you 4 items in the 'will be able to' list, then that newer app service might be open to strong criticism :|

    No comments: