Twitter OAuthcalypse Coming Soon

Back in the good old days things were a lot simpler. You didn’t have to worry about packet capturing or password extracting, and as a result a lot of the original protocols like HTTP, FTP and POP3 didn’t worry about sending your passwords over the wire in plain text. But in today's increasingly sophisticated API-driven world this isn't enough.

For developers storing a username and password and sending them to a web server was easy – most APIs and libraries included simple username and password fields. This most common form of this kind of Authentication, typically known as HTTP basic authentication, has been available to users of the Twitter API for some time now, and its convenience has made it more attractive than secure protocols like OAuth for a number of developers. However, on June 30th Twitter will be shutting off basic authentication:

You're going to be hearing a lot from me over the next 9 weeks.  Our plan is to turn off basic authorization on the API by June 30, 2010 -- developers will have to switch over to OAuth by that time.  Between now and then, there will be a *lot* of information coming along with tips on how to use OAuth Echo, xAuth, etc.  We really want to make this transition as easy as we can for everybody.

As always, please feel free to reach out to this group, or to @twitterapi directly.  if you need help remembering the date -

And as noted above the Twitter team has even created a handy countdown clock to help you count the days:

The change will only affect the REST API, while the streaming API will continue to support basic authentication.

The effect of the change is not limited to small hobby projects – popular Twitter clients like TweetDeck have traditionally used basic authentication (although they have made the switch to OAuth). While Twitter will provide a lot of Documentation and support for the change over to OAuth, the onus is still on developers to make the required changes, and there are lots of mashups that make use of the Twitter API.

Be sure to read the next Security article: OAuth is the New Hotness: 76 OAuth-enabled APIs