Why doesn’t Twitter’s OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you’ve given access to your Twitter account. Are you ever going to use that “See how many of your friends like cheese” app again? No.
Long time readers will know that I have some severe usability and security concerns with Twitter’s OAuth implementation. See also my interview in The Register.
This doesn’t go far enough.
I was taking a look at this LinkedIn application which graphs your contacts.
Take a look at their OAuth screen.
At the bottom is an “Access Duration” option – giving you the option to try out the app and have it automatically revoke after a specified period of time.
Now, this isn’t something you’d want to do for every app. But it gives you a method to limit the damage that a malicious app can do. Remember, just because an app isn’t malicious today, doesn’t give you any guarantee about its future performance.
As it happens, the Oauth Specification 2.0 has this to say in section 4.2.2. Access Token Response
OPTIONAL. The duration in seconds of the access token
lifetime. For example, the value “3600” denotes that the
access token will expire in one hour from the time the response
If you run a service relying on OAuth, please consider giving users an Access Duration option.