Login/Register
What is the difference among BasicAuth,OAuth and XAuth?
Asked Answered
Solved authenticationoauthxauth
I

2

16

Recently i heard that Twitter will be shutting off the basic authentication on the Twitter API and they move towards OAuth.

So i want to know What is the difference among BasicAuth,OAuth and XAuth?

what is the advantage and disadvantage of each Auth?

Isogloss answered 24/7, 2010 at 7:29 Comment(0)
L
17

Twitter BasicAuth required the developer of an application to store the username and password of the user, and transmit these along with each request.

OAuth is an open standard, where the user is redirected to Twitter, fills in his username/password there (or is already logged in) and then grants clearance for the application to use his account. The application never sees the username/password.

To quote the twitter pages:

Basic Authentication is a liability. By storing logins and passwords, a developer takes on additional responsibilities for the secure storage of those credentials; the potential harm to users if login credentials are leaked or abused is very high. Because many users utilize the same password across many sites, the potential for damage does not necessarily stop with their Twitter account.

See: http://dev.twitter.com/pages/basic_to_oauth

Note: I don't know anything about xauth, so leaving that up to others to answer.

Largo answered 24/7, 2010 at 7:38 Comment(3)
So Twitter says their logins and passwords aren't stored? How does one obtain a token then?Starks
You just hit the core of why OAuth exists. Twitter does store the login/password... and they are the only ones that need to know them. As a developer, you do not store the username/password. Instead you redirect the user to Twitter. There your user will fill in their credentials and submit them to Twitter. If the credentials are valid, he/she will be redirected back to your application bearing a token in their URL. So, only the site you're authenticating to has the credentials, and not every app that wants to authenticate against that site.Largo
I understand. Thanks!Starks
L
19

xAuth is a simplified version of OAuth. It removes several steps, so your app sends an OAuth-signed POST request with the username and password to Twitter's servers (using https://api.twitter.com/oauth/access_token), which directly returns a consumer token and secret for use other requests.

You have to email the Twitter API team to enable xAuth for your app, after your app has OAuth access. See http://dev.twitter.com/pages/xauth .

Lucas answered 30/7, 2010 at 7:52 Comment(0)
L
17

Twitter BasicAuth required the developer of an application to store the username and password of the user, and transmit these along with each request.

OAuth is an open standard, where the user is redirected to Twitter, fills in his username/password there (or is already logged in) and then grants clearance for the application to use his account. The application never sees the username/password.

To quote the twitter pages:

Basic Authentication is a liability. By storing logins and passwords, a developer takes on additional responsibilities for the secure storage of those credentials; the potential harm to users if login credentials are leaked or abused is very high. Because many users utilize the same password across many sites, the potential for damage does not necessarily stop with their Twitter account.

See: http://dev.twitter.com/pages/basic_to_oauth

Note: I don't know anything about xauth, so leaving that up to others to answer.

Largo answered 24/7, 2010 at 7:38 Comment(3)
So Twitter says their logins and passwords aren't stored? How does one obtain a token then?Starks
You just hit the core of why OAuth exists. Twitter does store the login/password... and they are the only ones that need to know them. As a developer, you do not store the username/password. Instead you redirect the user to Twitter. There your user will fill in their credentials and submit them to Twitter. If the credentials are valid, he/she will be redirected back to your application bearing a token in their URL. So, only the site you're authenticating to has the credentials, and not every app that wants to authenticate against that site.Largo
I understand. Thanks!Starks

© 2022 - 2024 — McMap. All rights reserved.