Redirectionless OAuth Credentials Exchange


Image representing Twitter as depicted in Crun...

Image via CrunchBase

Am I missing something here? Twitter is working with select partners to test what is variously being called OAuth delegation or browserless OAuth credentials exchange method (not sure why browserless since it's not about the browser, it's about the redirection).

The bottom line is that in an effort to be more user friendly, this removes the redirection to the Twitter site where you authoirize access by letting the third-party site (the site being delegated to) collect and then pass along the user's username and password to get the OAuth credentials. Abraham Williams captured the POST headers from Seesmic Look and they clearly contain the username and password.

I don't see how this can be a step forward in secure third-party access to APIs like Twitter. Once users start being allowed--even required--to (again) enter usernames and passwords into third-party sites, they'll be ripe for phishing attacks. Maybe I'm misunderstanding this based on the scetchy information available, but it looks phishy to me.


Please leave comments using the Hypothes.is sidebar.

Last modified: Thu Oct 10 12:47:19 2019.