Using Twitter OAuth Properly

This is it. I’ve had enough! Seriously, people. OAuth is about maintaining control as a user and everyone wants me to give it up! I’m tired of constantly clicking deny.

What am I complaining about? The constant abuse of Twitter OAuth login. Every site that I’ve visited that uses Twitter OAuth requires both read and write access to my account. The latest to do this is, a service that looks really cool,

OAuth requiring update permissions just for login

So what’s the fix? Websites should ask for the minimum amount of information needed to get started. In nearly every single case, the sites are using it for login purposes. Instead of a username and password, you talk to Twitter to verify that you have a legitimate user. Those “Tweet This For Me” buttons are optional add-ons that you can do.

You should handle those automatic cases by performing an upgrade when the user decides they want to allow your application to update for them. Unfortunately, Twitter doesn’t allow you to specify which level of access you want when you request a token, you have to do it when you setup your application.

Registering two applications is an easy solution to this problem. You use the read-only application for authentication, then switch to the other app when you’re attempting to write. It requires a little overhead when you store the authentication token, but it’s trivial to store a flag showing which set of credentials to use.

Honestly, I know most applications are completely trustworthy. Especially those I’ve found through recommendations of others, but it’s still unnerving to give 100% access to my account to a new service for the shear pleasure of being able to login and see if I like it. It should be to you too.