OAuth Will Murder Your Children – for one week only!

by @edent | # # # | Read ~104 times.

Why doesn’t Twitter’s OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you’ve given access to your Twitter account. Are you ever going to use that “See how many of your friends like cheese” app again? No.

Long time readers will know that I have some severe usability and security concerns with Twitter’s OAuth implementation. See also my interview in The Register.

Zach Holman has an entertaining and informative blog post about giving Twitter applications fine grained controls.

Essentially, he’s saying that you should be able to authorise an app for just posting, for example.
Here’s his graphic which I’ve stolen.
Fine Grained Access Controls

This doesn’t go far enough.

I was taking a look at this LinkedIn application which graphs your contacts.

Take a look at their OAuth screen.

Access Duration

At the bottom is an “Access Duration” option – giving you the option to try out the app and have it automatically revoke after a specified period of time.

Now, this isn’t something you’d want to do for every app. But it gives you a method to limit the damage that a malicious app can do. Remember, just because an app isn’t malicious today, doesn’t give you any guarantee about its future performance.

As it happens, the Oauth Specification 2.0 has this to say in section 4.2.2. Access Token Response

expires_in
OPTIONAL. The duration in seconds of the access token
lifetime. For example, the value “3600” denotes that the
access token will expire in one hour from the time the response
was generated.

If you run a service relying on OAuth, please consider giving users an Access Duration option.

Leave a Reply

Your email address will not be published. Required fields are marked *