Quick Thoughts on the Twitter-iOS Integration
One of the big announcements at yesterdays WWDC conference was the integration of Twitter into iOS 5 (those screenshots are nice!). Twitter fanatics are going gaga about this, talking about how this is a game-changer and even conjecturing on what the apparent Facebook snub means. However, what I want to know is – what does this mean for how OAuth is used to integrate with Twitter.
First things first, it isn’t even clear if the integration between iOS and Twitter is based on OAuth or Twitter’s own xAuth. One would hope the former given Twitter’s stated direction. Ping Identity’s resident OAuth wizard Paul Madsen tried to imagine what the OAuth based integration would look like. Looking at it made me wonder if we’re seeing a radical change in how OAuth could be used on devices.
The problem is this: Apple is (justifiably) proud of the attention they pay to the usability of their products. And the OAuth flow would seem to be a problem here. In the simplest form, authorizing all the apps in iOS (camera, contacts, safari, etc) to have Twitter access would repeatedly send the user through the OAuth flow, a user experience I doubt Apple would agree to. So the question is whether a single request token asked for by iOS could be shared amongst all the apps on iOS. If yes, then how can the user manage permissions regarding what these apps can do individually? And how would they revoke a specific app? This model would make it highly unlikely that the integration would extend to 3rd party apps installed from the app store (because of that lack of separation).
Another possibility is that iOS will include some APIs that proxy the Twitter integration. So all communication to Twitter would simply originate from iOS, not from the apps directly. This would eliminate the need for multiple OAuth flows, but the same challenges around permissioning and revocation would remain. On Twitter, the user would just see one app authorized for access – iOS/iPhone/iPad. One way I can see Apple mitigating this while also opening this feature up to 3rd party apps is by adding their own app specific permission layer in the iOS settings. Which would be a practical way to manage this, and open up a whole slew of questions around OAuth and OAuth proxies on devices.
Of course, all of this is moot if the integration requires me to go into iOS settings and enter my Twitter username and password…
I agree Twitter integration in iOS will be nice, but I am not sure why all this hype for a feature already available in Android devices for ages. Android has a much more open integration framework between applications, which could also help us understand possibly how Apple will do it for it's iOS integration too.
So in Android sharing a picture from Gallery in Twitter just fire-ups the Twitter app and creates a post with the image. And you have options to share the image with DropBox, Facebook, SpringPad or whatever application you installed supports sharing pictures. No need to mess with authentication frameworks, just design a nice OS level API to pass information between applications and let your client application take care of authentication. The same principle applies when sharing a url from your browser, your location from maps etc.
The beauty of this implementation is that your share options when sharing e.g urls are the same no matter if you use the stock Android browser or Opera Mobile or whatever.