OAuth Will Murder Your Children - for one week only!

Why doesn't Twitter's OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you've given access to your Twitter account. Are you ever going to use that "See how many of your friends like cheese" app again? No.

Long time readers will know that I have some severe usability and security concerns with Twitter's OAuth implementation. See also my interview in The Register.

Zach Holman has an entertaining and informative blog post about giving Twitter applications fine grained controls.

Essentially, he's saying that you should be able to authorise an app for just posting, for example. Here's his graphic which I've stolen.

This doesn't go far enough.

I was taking a look at this LinkedIn application which graphs your contacts.

Take a look at their OAuth screen.

At the bottom is an "Access Duration" option - giving you the option to try out the app and have it automatically revoke after a specified period of time.

Now, this isn't something you'd want to do for every app. But it gives you a method to limit the damage that a malicious app can do. Remember, just because an app isn't malicious today, doesn't give you any guarantee about its future performance.

As it happens, the Oauth Specification 2.0 has this to say in section 4.2.2. Access Token Response

expires_in OPTIONAL. The duration in seconds of the access token lifetime. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

If you run a service relying on OAuth, please consider giving users an Access Duration option.