Friday, April 29, 2011

Scoping scope

ReadWriteWeb describes Twitter's new consent UI by which an application asks of a user access to their Twitter account.

Aside: RWW describes this page as the 'OAuth screen', makes just as much sense to call it the 'HTTP screen'. OAuth is the plumbing for this screen, not the (visible) shower curtain.






 RWW points out that the list of allowed actions isn't quite as complete as indicated. Notably omitted from the list is 'Read that DM where you made fun of your boss's new haircut'.

The UI might make a user believe that this list of permissions is unique to Favstar.FM. But that's not the case - these are generic permissions, afforded to all (registered) applications. The only differentiation in permissions that Twitter supports is between 'read' & 'read and write', this selected by the application developer at registration time



Twitter's model ignores a key advantage of the OAuth model (one not supported by the password anti-pattern), namely allowing a user to give differentiated permissions to different applications.

Separately:
  • Red & green text? Really?
  • Does the stuttering repetition of 'Favstar.FM' imply a glitch in the code? or an overzealous registration page?
  • The list of things the app will not be able to perform seems incomplete. I suggest the following additions at minimum

No comments: