OAuth-only Twitter: What it Means for JavaScript Apps

Today could be the last day for some web applications built purely with client-side JavaScript and the Twitter API.  According to Twitter, Basic Authentication has been permanently shut off, as promised. While the move should bring better security for many users,  it will also make building JavaScript apps without server-side support for OAuth practically impossible due to security issues.

Developers that are using JavaScript to create client-side only applications find themselves in a catch 22. The OAuth information would have to be hard coded, which removes the extra security of using OAuth. Anyone using the app will potentially have full access to the developer's account. Twitter's Taylor Singletary described the problem on the developer mailing list:

There is no secure method to accomplish this purely in Javascript, as you would have to hard code your consumer key & consumer secret as well as an oauth_token and oauth_token_secret for the Twitter account you want to use for all operations. With these pieces of information, anyone would be able to tweet on behalf of your application and account.

In a case like this, you'd want to implement most of this logic server-side, where you can keep the hard-coded credentials securely. You could potentially use Javascript to speak to your own servers to hustle the process along.

Yes, this change will lead to better security because important information never leaves the server. It also has the effect of reducing the number of options for creating a JavaScript app. However, those using the search API with JavaScript will be unaffected, as it does not require authentication.

Twitter OAuth countdown clock

Developers have had plenty of warning. Twitter first announced the move in April, then extended the deadline from June to August and finally implemented a gradual phase-out. Twitter appears to be letting a trickle of connections through with the old method, but expect even that to end soon, as the company's statements all point to Basic Auth being really, truly gone.

The change to OAuth means increased security for users because "Applications won’t store your username and password, and if you change your password, applications will continue to work." OAuth is a token based authentication system. Individual applications are granted access through a key passed from the server. Applications that use Basic Authentication store the password in the app and send it to the server when they make a call.

Is giving up client-side-only applications significant? Is it worth the security? Let us know in the comments.

Be sure to read the next Security article: How Developers Can Help Prevent "Social Burglaries"