3

I see many people using XAuth in their app to authenticate twitter users and I'm wondering what are some situations that I would want to use XAuth in my own apps.

Thanks so much for your wisdom!

BeachRunnerJoe
  • 567
  • 2
  • 6
  • 14

2 Answers2

5

With xAuth you don't have to jump through the hoops of OAuth.

The typical OAuth workflow goes like this:

  • If you have a web app and the user wants to sign in to your app with their Twitter credentials, he or she is redirected to twitter.com and must allow your application to access their account. They're then redirected back to your app.
  • If you have a desktop or mobile app, a browser will be opened where the user can grant your application access to their account. In exchange for the authorization, the user will be given a PIN code that they will input back in your app.

Both of the above workflows produce a key/secret pair that you can use to authenticate the user with Twitter in the future. This way you do not need to know the user's actual login credentials.

xAuth is the way to log in that most of us think of when we sign in somewhere. You take the user's login and password and send them off to Twitter, getting an access token back. Now you have to store and protect (or throw away) the user's login credentials. For this reason, Twitter requires app developers to email them for permission to use xAuth.

In my experience, most web apps stick with OAuth, since it's fairly non-intrusive when the user's already in a web browser anyway. Desktop and mobile apps tend to use xAuth, since it provides a more conventional and convenient sign-in experience.

Adam Lear
  • 31,939
  • 8
  • 101
  • 125
1

XAuth makes things simple for approved apps. Mostly it just builds on top of OAuth, which has the following advantages:

  1. Twitter strongly encourages it.
  2. Security. You don't need to encrypt the user's username/password locally and deal with any issues if someone else figures out how to break your encryption and steal it. If the auth credentials are stolen much less damage can be done -- they won't work on any other site (people often use the same password everywhere), your app has limited permissions to their Twitter account and can't completely destroy everything, etc.
  3. Users' peace of mind (because of (2)). The security-conscious may not even use your app otherwise.
Matthew Read
  • 2,001
  • 17
  • 22
  • Twitter encourages OAuth, not xAuth. They give the option of xAuth, but you have to make your case to them to be allowed to use it. Your point #2 seems to apply to OAuth more than xAuth. – Adam Lear Jan 23 '11 at 00:46
  • I should clarify that by OAuth I mean "plain not-xAuth OAuth". – Adam Lear Jan 23 '11 at 03:15