If you’ve kept up with my tweets over the past year, you’ve probably seen a lot about something called OAuth. OAuth is a new mechanism that some websites use to authenticate users and track client applications that use their API. Flickr, Twitter, and a bunch of other sites are already using it today. Clients like Kiwi, Tweetie, and Twitteriffic have been slower to take it up. Don’t worry, though, that’s all about to change.Waiting for good OAuth
OAuth was built as a way for apps to access Twitter without requiring users to give away their passwords. How many times have you opened a web-app, been presented with the, “Sign in with your Twitter username and password,” and then just closed the window. I have.
After being burned more than once, I just don’t give out my passwords any more.
OAuth was designed to help with exactly this problem. OAuth allows websites that need access to your account to send you to the Twitter website to explicitly grant access to that app. If it turns out you don’t like the app, you can disable it in the Twitter settings.South going Zax
What makes great sense for web-apps seems out of place for Mac Apps. Having a browser open up to Twitter.com is not how you want to sign in to every account. And being dumped out to Safari on an iPhone is even more painful. Most Mac/iPhone developers sensed this and held off integrating OAuth.
Twitter tried to sweeten the pot by only displaying the name of apps that used OAuth. But it changed the game very little. A few apps were motivated enough to suffer the user experience, but most didn’t. It set the stage for a stalemate between frustrated client developers and unbudging API developers.…but if you try sometimes, you get what you need.
A new tweak to the OAuth system was proposed specifically for desktop and mobile. In short, it has most of the advantages in tracking client apps, but allows users the expected experience of signing in with their username and password, without a web browser. It’s the best of both worlds.
Twitter has added this modification and has been hinting about it for a while. It finally leaked out a few weeks ago that it was already beta testing. And yesterday it was switched on.New and Improved! Just like before.
Most users won’t notice any change. And that’s a good thing. But behind the scenes there will be some important differences.
Separation from passwords — done well, a client should ask for your password, use it to get authentication from Twitter, then forget your password. The client remembers the authentication token from then on. The authentication token is like a key to your Twitter account, and it continues to work even if you change your password.
Increased rate limits — because Twitter can keep a closer eye on specific client apps, they allow more API calls. Basic Auth allowed 150 calls per hour; with OAuth/xAuth, it’s at least double that. This means more cool Twitter client features, and more refreshes.
Attribution — you may not care very much. But the attribution line on a tweet says which client app was used to create that tweet. It’s like a little teeny tiny ad on every tweet. That’s good news for underdogs like Kiwi that are trying to get noticed.
And all this, without so much as a hiccup in the user experience.I can haz now!?
I released a first Kiwi 1.2 beta a few hours after xAuth was turned on, but a second beta was released tonight. It’s a bit more stable, but probably still has a few rough corners. If you’re feeling daring you can grab it here: Download, Release Notes. Or if you’d rather wait for the real thing. Then just hang on a few days. We’ll roll out the final version and Kiwi will automatically update when it’s ready.Update
Beta 3 is out now, I’ve updated the links.