Twitter has announced that it is to shut of all basic access authentication on its API.
The Twitter API team confirmed that by this date, all applications need to switch to using the OAuth open protocol. The process began on 17th August when basic authentication rates limits were decreased by 15 requests per hour on each week day, and over the course of the next week basic authentication will be shut off temporarily for ten minutes.
On 31st August at 8am PDT, all basic authentication requests will be served with a HTTP 401 error code.
It said that the switch to OAuth will be a good thing for the application developer. It said: “You don't have to worry about exposing the credentials for your users whether through a bug or other means (especially considering that a lot of people use the same password for multiple services); don't have to worry about the user changing their password — a user can change his or her password and the OAuth ‘connection' to your app will still work.
“You don't have to worry about other applications masquerading as your application - only you can set the byline with your application name; you will eventually have access to more APIs from Twitter that will only be available to ‘trusted' OAuth-enabled applications; and it gives the Twitter API team more visibility into the network — you help us plan for capacity, and you help us squash spam and you help us identify bugs.”
Chris Wysopal, CTO of Veracode, welcomed this change. He said: “Basic authentication requires client apps to store user names and passwords and vulnerabilities can leak these. All apps should be moving to something like OAuth.”