One of the big announcements at yesterdays WWDC conference was the integration of Twitter into iOS 5 (those screenshots are nice!). Twitter fanatics are going gaga about this, talking about how this is a game-changer and even conjecturing on what the apparent Facebook snub means. However, what I want to know is – what does this mean for how OAuth is used to integrate with Twitter.
First things first, it isn’t even clear if the integration between iOS and Twitter is based on OAuth or Twitter’s own xAuth. One would hope the former given Twitter’s stated direction. Ping Identity’s resident OAuth wizard Paul Madsen tried to imagine what the OAuth based integration would look like. Looking at it made me wonder if we’re seeing a radical change in how OAuth could be used on devices.
The problem is this: Apple is (justifiably) proud of the attention they pay to the usability of their products. And the OAuth flow would seem to be a problem here. In the simplest form, authorizing all the apps in iOS (camera, contacts, safari, etc) to have Twitter access would repeatedly send the user through the OAuth flow, a user experience I doubt Apple would agree to. So the question is whether a single request token asked for by iOS could be shared amongst all the apps on iOS. If yes, then how can the user manage permissions regarding what these apps can do individually? And how would they revoke a specific app? This model would make it highly unlikely that the integration would extend to 3rd party apps installed from the app store (because of that lack of separation).
Another possibility is that iOS will include some APIs that proxy the Twitter integration. So all communication to Twitter would simply originate from iOS, not from the apps directly. This would eliminate the need for multiple OAuth flows, but the same challenges around permissioning and revocation would remain. On Twitter, the user would just see one app authorized for access – iOS/iPhone/iPad. One way I can see Apple mitigating this while also opening this feature up to 3rd party apps is by adding their own app specific permission layer in the iOS settings. Which would be a practical way to manage this, and open up a whole slew of questions around OAuth and OAuth proxies on devices.
Of course, all of this is moot if the integration requires me to go into iOS settings and enter my Twitter username and password…