Twitter Extends New OAuth Deadline For Apps Accessing Direct Messages

Adam DuVander
May. 18 2011, 06:25PM EDT

With an announcement of new permissions levels, Twitter is requiring apps that need access to direct messages to re-authorize their users. For mobile apps, this could mean rewriting to use OAuth for the first time. When the developer community balked at a shorter timeline, Twitter extended the deadline to June 14 June 30. Though most developers will not need to make changes to their applications, those that do will have to do so in only 27 43 days.

Update: Twitter has extended the deadline to the end of June.

When Twitter shut off basic authentication last year, it gave over four months notice, though the original heads up was half that. The company twice extended the deadline and finally required OAuth starting August 30, 2010.

The changes provide more clarity and control to users of Twitter's platform. And while the technical hurdle is not as large as last year's "OAuthcalypse," some developers--especially those of native mobile apps--will need to implement big changes, as hinted on the Twitter dev list:

Applications that use “Sign-in with Twitter” or xAuth will only be able to
receive Read or Read/Write tokens.

What this means is only applications which direct a user through the OAuth
web flow will be able to receive access tokens that allow access to direct
messages. Any other method of authorization, including xAuth, will only be
able to receive Read/Write tokens.

Daring Fireball points out that it's not just a technical issue. Mobile apps are being forced into a degraded user experience:

Thanks to OAuth, you never need to give these sites your Twitter password, let alone allow them to store your password. Instead, they forward you to twitter.com, you grant them access to your account there, and then twitter.com forwards you back to the website where you started. It’s common sense: a web-based authentication flow works naturally from within a web browser.

But the same web-based authentication flow is jarring for native apps. When you open a native app — Mac, Windows, iOS, Android, WebOS — you don’t expect to be forwarded out of the app and into your web browser.

Twitter's relationship with developers has been tense the last year, since around the time Twitter acquired an iPhone app Tweetie, now called Twitter for iPhone. Around the same time, Fred Wilson, an early investor, said developers were just filling holes in the Twitter platform rather than making something new. In his update to the recent announcement, Twitter's Matt Harris noted that official Twitter apps won't use the OAuth web flow. "We’re taking this step to give more clarity and control to users about the access a third-party application has to their account," Harris wrote (emphasis added).

Adam DuVander -- Adam heads developer relations at Orchestrate, a database-as-a-service company. He's spent many years analyzing APIs and developer tools. Previously he worked at SendGrid, edited ProgrammableWeb and wrote for Wired and Webmonkey. Adam is also the author of mapping API cookbook Map Scripting 101.

Comments

Comments(5)

[...] Basically, the stranglehold by Twitter was being elevated to a new level. Originally they allowed only 2 weeks to perform these changes. Knowing the delay it takes to get your iOS application approved by Apple, this damocles sword was very close into hitting those 3rd party developers. After much whining and rage, on Twitter, they decided to postpone the application of that new policy until June 30th. [...]