Twitter Extends New OAuth Deadline For Apps Accessing Direct Messages

With an announcement of new permissions levels, Twitter is requiring apps that need access to direct messages to re-authorize their users. For mobile apps, this could mean rewriting to use OAuth for the first time. When the developer community balked at a shorter timeline, Twitter extended the deadline to June 14 June 30. Though most developers will not need to make changes to their applications, those that do will have to do so in only 27 43 days.

Update: Twitter has extended the deadline to the end of June.

When Twitter shut off basic authentication last year, it gave over four months notice, though the original heads up was half that. The company twice extended the deadline and finally required OAuth starting August 30, 2010.

The changes provide more clarity and control to users of Twitter's Platform. And while the technical hurdle is not as large as last year's "OAuthcalypse," some developers--especially those of native mobile apps--will need to implement big changes, as hinted on the Twitter dev list:

Applications that use “Sign-in with Twitter” or xAuth will only be able to
receive Read or Read/Write tokens.

What this means is only applications which direct a user through the OAuth
web flow will be able to receive access tokens that allow access to direct
messages. Any other method of authorization, including xAuth, will only be
able to receive Read/Write tokens.

Daring Fireball points out that it's not just a technical issue. Mobile apps are being forced into a degraded user experience:

Thanks to OAuth, you never need to give these sites your Twitter password, let alone allow them to store your password. Instead, they forward you to, you grant them access to your account there, and then forwards you back to the website where you started. It’s common sense: a web-based Authentication flow works naturally from within a web browser.

But the same web-based authentication flow is jarring for native apps. When you open a native app — Mac, Windows, iOS, Android, WebOS — you don’t expect to be forwarded out of the app and into your web browser.

Twitter's relationship with developers has been tense the last year, since around the time Twitter acquired an iPhone app Tweetie, now called Twitter for iPhone. Around the same time, Fred Wilson, an early investor, said developers were just filling holes in the Twitter platform rather than making something new. In his update to the recent announcement, Twitter's Matt Harris noted that official Twitter apps won't use the OAuth web flow. "We’re taking this step to give more clarity and control to users about the access a third-party application has to their account," Harris wrote (emphasis added).

Be sure to read the next Security article: An API to Weed Out Disposable Email Addresses