Today I learned that Twitter and Yahoo have pulled their support for oAuth on the news of a security flaw. [LINK] Open Auth (oAuth) is an open source authentication scheme which I’d just implemented in a new project I’m working on (http://TweetARun.com) and wouldn’t you know it it’s dead in the water.
This just highlights the dependency we as Relying Parties have on Identity Providers.
http://TweetARun.com is a nice simple little site that purposefully avoids the need to register or store passwords by implementing Federated Single Sign On with Twitter through Open Auth. That’s a lot of words but all it means is you never ever register on http://TweetARun.com. Rather you click a button on http://TweetARun.com which sends you over to Twitter. Then you simply Grant permission to http://TweetARun.com to access your profile. This action sends you back to TweetARun.com with what’s called an authorization token. http://TweetARun.com then exchanges this token for an Access Token which it can then use to update or retrieve information from your Twitter account. It’s a nice scheme.
Now you might say this just highlights the need to have two forms of authentication, one for the partner site and one for when the partner site is down. Think of it, TweetARun.com is not down right now, it’s fully functional as can be seen here (http://TweetARun.com/FrancisShanahan) so why should users be locked out? I’m on the fence about this as I really want to avoid the proliferation of information, specifically userid and password.
Let’s see how long the outage lasts and then I’ll decide.