Twitter Tutorial: What is OAuth And What It Means To You

As of August 31, 2010 the way that applications access Twitter via your account will be restricted to only one way. Applications can currently access your account if you provide them with your username and password (also known as basic authentication) or if you give them permission to via OAuth. After August 31 the only way an application will be allowed access to your account will be via OAuth.

According to OAuth‘s website the protocol is like a valet key.

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

If you are a Twitter user and use applications to either check your tweet stream on your phone/desktop or on another place on the web (think Tweetdeck or Hootsuite) or any of the multitudes of analytics tools available for Twitter you’ve probably come across a screen that looks somewhat like this (click to see the bigger version):

If you’re already logged into Twitter when you get to this screen you won’t be given an option to login; instead your information will be displayed. For those of you more familiar with Facebook think Facebook Connect.

The short and simple portion of OAuth is that you are not giving your Twitter username and password over to an application developer. Instead you are giving that application permission to access your account through means of a shared key which Twitter identifies as your key for that application. The application is required to have an established relationship with Twitter by means of signing up for an application.

Also required during an application’s sign-up process is whether that application is read only or read & write. If the application is read only then they will only be able to read your information. Read & write means they can do both.

The benefits of OAuth are the security of knowing you don’t need to give someone else your password. Also, you can change your password at any time and you’ll still have access to your already authorized applications. Twitter can also easily revoke the application’s access key to better enable security if an application starts being acting like spam or not in the userbase’s best interest

In that same authorization window user’s are asked if they will allow an application to access or access and update their accounts.

In a lot of ways the advantages of OAuth stop there for applications that have been allowed to access and update accounts. A user still needs to be sure that they trust the app to update their account timely and correctly. An application that updates the account without the user’s express permission even though the user has allowed the application access to the account is still considered to be in violation of Twitter’s Application Developer Terms of Service.

Here is a list of things that an application cannot do and therefore you cannot accidentally do through an application using OAuth:

  • Change your username
  • Change your password
  • Change your email address
  • Change your mobile settings
    • Number attached to account
    • Settings for mobile send times
    • Settings for following a user’s updates via text message
    • Change direct message to mobile settings

This will keep your account generally secure from being changed, but you are still responsible for the content that is sent by the app. This can include:

  • Status updates
  • Direct messages
  • List creation
  • Following someone
  • Unfollowing someone
  • Blocking someone
  • Reporting someone as spam
  • List creation
  • List deletion
  • List following
  • Adding user’s to a list

There are more, but you get the idea. In short, the ability of an application approved through OAuth is restricted, but still has the potential to be dangerous. You should only use applications that you trust or that you understand. Look for an applications documentation section or if the app is a small one send an email or @reply to the developer and ask them about their application.

Keep your password secure after August 31st. You will not be required to give it to an application for purposes of accessing your account. HOWEVER there are applications that still require a login, but the use of the same password that you use for Twitter isn’t required.