OAuth Will Murder Your Children - for one week only!


Why doesn't Twitter's OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you've given access to your Twitter account. Are you ever going to use that "See how many of your friends like cheese" app again? No.

Long time readers will know that I have some severe usability and security concerns with Twitter's OAuth implementation. See also my interview in The Register.

Zach Holman has an entertaining and informative blog post about giving Twitter applications fine grained controls.

Essentially, he's saying that you should be able to authorise an app for just posting, for example.
Here's his graphic which I've stolen.
Fine Grained Access Controls

This doesn't go far enough.

I was taking a look at this LinkedIn application which graphs your contacts.

Take a look at their OAuth screen.

Access Duration

At the bottom is an "Access Duration" option - giving you the option to try out the app and have it automatically revoke after a specified period of time.

Now, this isn't something you'd want to do for every app. But it gives you a method to limit the damage that a malicious app can do. Remember, just because an app isn't malicious today, doesn't give you any guarantee about its future performance.

As it happens, the Oauth Specification 2.0 has this to say in section 4.2.2. Access Token Response

expires_in
OPTIONAL. The duration in seconds of the access token
lifetime. For example, the value "3600" denotes that the
access token will expire in one hour from the time the response
was generated.

If you run a service relying on OAuth, please consider giving users an Access Duration option.


2 thoughts on “OAuth Will Murder Your Children - for one week only!

  1. says:

    One of the things I like about our OAuth at Cambridge is that you have 2-3 options of time limit. It’s a nice touch.


  2. Yes to variable expiry, but on refresh tokens not access tokens. Access tokens should always be short lived to the point you don't care.

    But stick it on the refresh token (or make it standard to allow no refresh at all, so it expires after that first hour) - that'd be cool!


Leave a Reply

Your email address will not be published. Required fields are marked *