15 Jun 09 Twitter, please mix basic auth with OAuth.

Tags: oauth, twitter

Today, I spent close to 6 hours trying to implement a workable solution to running OAuth alongside my current basic authentication for Tweekly.fm. I got close to getting it working.

Yes, OAuth is great. But it is not great when you already have userbase of basic auth users. My problem is that IF I do implement OAuth, I’d want Tweekly.fm users to come back and switch. It’s a nightmare, since Tweekly.fm isn’t exactly a service where you use your login credentials again. I’d somehow have to get all the users to come back to switch. The only thing connecting OAuth with basic auth in my system is the last.fm username. Because of the way Tweekly.fm works, I can’t run both OAuth and basic auth. So, if someone wants to switch, I have to delete the basic auth, which is just too much effort for the user. Because the way Tweekly.fm works, I might also end up deleting another person’s subscription (you can choose any last.fm username, not just your own).

All I ask Twitter, is 1 special API method. Use basic auth to get the access tokens. This way, I can easily switch my whole userbase to OAuth without them having to do ANYTHING! You can even deprecate all the other functions of basic auth. Just allows us to get access tokens if we use basic auth.

It will even drop all the hurdles to get authorization in the 1st place (go to site, click, authorize on twitter, come back). Desktop apps will like this too. This way, you keep the ease of basic auth and have the security of OAuth (switching off rogue apps). The user won’t be phased. The developers might have trouble though. Basic auth is much better to learn than OAuth.

So, Twitter, if you want to switch to OAuth, at least make it easier for us to switch existing userbases to it.