If Twitter applications make use of OAuth why would certainly they request for my password?

I joined to TweetDeck, and also adhering to the actions it shows up that I released it an OAuth token.

After that I mounted it (0.35.1, Linux), checked in with my TweetDeck account and also attempted to add my Twitter account. It after that asks me for my Twitter Password.

Why would certainly it require my password if it makes use of OAuth?


I obtained an e-mail from Twitter a while after authorizing the OAuth token. It recommends this prevails to applications as a whole and also not simply TweetDeck:

  • OAuth is a modern technology that makes it possible for applications to accessibility Twitter in your place with your authorization without asking you straight for your password.
  • Desktop computer and also mobile applications might still request for your password as soon as , yet afterwards demand, they are called for to make use of OAuth in order to access your timeline or permit you to tweet.

I still do not recognize why they would certainly require my password if I've currently authorized an OAuth token straight with Twitter using the internet.

The e-mail additionally claims:

Applications are no more permitted to store your password.

Just how they could be protected against from saving it? Disclosing a password "as soon as" is disclosing it for life.

2019-05-18 21:26:06
Source Share
Answers: 2

First, they can not practically protect against the application from saving your password.

Currently, if they are a well - acted neighborhood application, the password is just refined (or saved) on your computer system and also sent out to Twitter. That is really various from a company saving your password on their web servers, which is the trouble OAuth was initially made to address.

Some desktop computer and also mobile applications make use of xAuth, a method of making use of a username and also password to start an OAuth circulation. This is perhaps what TweetDeck is doing. As soon as you have actually accredited TweetDeck on one computer system, you still require to get the various other instance attached, so it requires to accredit it once more. So, the circulation when you make use of an application (and also it is per application installment, not per application), they can take your username and also password, get an OAuth token, and also store the OAuth token.

Keep in mind that entering your username and also password in a well - acted, trustworthy desktop computer application working on your computer system is no much less secure than entering it in twitter.com in your internet internet browser.

2019-05-21 06:50:09

Why would certainly it require my password if it makes use of OAuth?

Some twitter application that have actually not been upgraded to sustain OAuth totally can make use of the xAuth API to get OAuth qualifications from a username and also password. This is just called for as soon as per application installment as the OAuth token that it returns does not run out.

Just how they could be protected against from saving it?

Clearly twitter can not stop them from saving your password. The terms & problems of the the twitter API, which have to be accepted get an application OAuth key, state applications are not permitted to store password - as validated in your e-mail.

There are no specific penalties detailed for damaging this arrangement, yet it would certainly likely get your OAuth key withdrawed which would certainly revoke every customer is OAuth token released with that said key to your application and also stop your from getting anymore.

2019-05-21 06:49:47