Closed Bug 954109 Opened 11 years ago Closed 11 years ago

xAuth support for twitter

Categories

(Chat Core :: Twitter, enhancement)

Product:
Chat Core
Component:
Twitter
Platform:
x86
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: florian, Unassigned)

References

Details

(Whiteboard: [wanted]) 

*** Original post on bio 674 at 2011-02-02 11:07:00 UTC ***

Supporting xAuth would allow us to avoid the annoying browser pop-up that currently appears when first connecting a twitter account.

Some documentation about this:
http://dev.twitter.com/pages/xauth
http://apiwiki.twitter.com/w/page/23730780/Twitter-REST-API-Method:-oauth-access_token-for-xAuth
http://weblog.bluedonkey.org/?p=959

I already have an xAuth enabled key for Instantbird.

Difficult part: we need to find a "best effort" way to obfuscate the key inside the application. I think a binary XPCOM component returning an nsIKeyObject (http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIKeyModule.idl#41) instance embedding the key would be good. We should also think a way to avoid the key being in plain text inside the binary file (so that it's not readable by the |strings| Unix command). And we need to ensure the xAuth-enabled key is not in the public code repository, and never appears in the buildbot logs.
Whiteboard: [0.3-wanted]
*** Original post on bio 674 at 2011-02-03 21:08:58 UTC ***

Setting this to block bug 954035 (bio 598) so we don't lose it.
Blocks: 954035
*** Original post on bio 674 at 2011-05-23 16:26:32 UTC ***

It's too late to start working on this for 0.3. We still want this for a later release.
Whiteboard: [0.3-wanted] → [wanted]
*** Original post on bio 674 at 2011-05-25 21:23:00 UTC ***

Twitter released a new permission system for direct messages [1], part of this is that you cannot authorize for DM over xAuth [2]:

>> You said you were restricting this permission to the OAuth /authorize web
>> flow only. Will /oauth/authenticate (Sign in with Twitter) support the new
>> permission? 
> 
> The R/W/DM permission can only be granted through the /oauth/authorize 
> route. Sign in with Twitter cannot be used to grant R/W/DM. 
> 
> We understand applications may use other methods of authentication 
> like Sign in with Twitter as well. For this reason, if a user has 
> authorised your application for R/W/DM and you direct them through 
> Sign in with Twitter, we will respect the existing access token 
> permission. This means you can use Sign in with Twitter after a user 
> has authorized your application for R/W/DM. 

This really leaves OAuth as the only reasonable way to connect to Twitter (and xAuth would make it very confusing as you'd have to do both xAuth and OAuth to get certain permissions, at least in my understanding). I'll suggest this bug will be RESOLVED WONTFIX then.

[1] http://blog.twitter.com/2011/05/mission-permission.html
[2] http://groups.google.com/group/twitter-development-talk/browse_thread/thread/e954fc0f8b5aa6ec/9d666b0003a56ed6
Component: General → Twitter
*** Original post on bio 674 at 2011-09-09 10:30:51 UTC ***

Yeah, sadly xAuth has lost all value now that it doesn't allow direct messages.
-> WONTFIX
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.