Tag Archives: oauth

Twitter app chance

Five years ago today, I joined Twitter as its 897th user, though for some reason “my first tweet”:http://twitter.com/manton/statuses/1457463 wasn’t until a few months later. So much has changed in the meantime — the API always in flux, the transition from primarily SMS, to web, to apps — but in many ways the core of the service remains intact and stronger than ever. Short messages, distributed efficiently to friends.

I talked about some of the good and bad of being a Twitter developer “on the ATX Web Show last week”:http://atxwebshow.com/2011/07/05/episode-34-tweet-library-with-manton/. There have been a string of changes that cause developers to scramble: turning off basic auth, discouraging mainstream clients, disabling DMs for xAuth. With each step, Twitter loses a little goodwill, and that’s demonstrated in the tweets I “collected over the xAuth change”:http://tweetlibrary.com/manton/xauthtooauth.

Even as Twitter passes 1 million registered apps, there’s a risk that some developers will stick with the platform as users only, putting their apps in maintenance mode. In May, “Kiwi developer Isaiah stopped development”:http://yourhead.tumblr.com/post/5550105265/i-love-you-kiwi-i-know of his Mac Twitter app:

“I’m just going to take a break from Kiwi for a while. It’s still for sale. I still support it. I’ll still fix bugs when they crop up. But adding new features and playing catch up with the other guys/gals is off the table.”

Maybe because I don’t have to depend on Tweet Library sales, I tend to more stubbornly ignore what is good business sense. There’s so much I still want to do. As “I wrote in my previous take”:http://www.manton.org/2011/03/twitters.html on the state of the platform: “I’m a little discouraged, but not enough to stop.”

I think that’s doubly true today. More annoyed, but also more determined to plug holes in the platform, from archiving to syncing. I couldn’t be more excited about the developers who are building in “Tweet Marker”:http://tweetmarker.net/ support.

And there’s always a chance, a feeling that something big is just around the corner. That if I don’t add that one feature, or open up that new API, I’ll miss the tipping point that makes Tweet Library really take off.

Twitter’s platform at 5 years

Twitter recommended upgrading to OAuth “for optimal security” and so developers don’t need to “worry about the user changing their password”. While I dislike APIs that break old clients, I saw mostly the good things about OAuth, framed around letting the user approve access to their own account.

Seven months ago, as Twitter was finishing the OAuth transition, “Buzz Andersen tweeted this”:http://twitter.com/buzz/statuses/21402358130:

“Twitter isn’t just enforcing OAuth for technical reasons: it’s a way of taking control of the platform.”

I’m not sure I got it at the time. Twitter was all about open APIs, right? They encouraged new clients, and the original Mac client Twitterrific had “brought a lot of innovation and standards”:http://furbo.org/2011/03/11/twitterrific-firsts/ to the platform. Why would they need this level of control?

“The email from Ryan Sarver”:http://groups.google.com/group/twitter-development-talk/browse_thread/thread/c82cd59c7a87216a/7dd46c26157c9e29 last week showed part of how Twitter is changing as a company, refocusing from building a network to selling a product. Reading between the lines, it seems that to effectively sell ads, Twitter feels they need to control the user experience. On Twitter clients:

“Developers have told us that they’d like more guidance from us about the best opportunities to build on Twitter. More specifically, developers ask us if they should build client apps that mimic or reproduce the mainstream Twitter consumer client experience. The answer is no.”

Disappointing. At a panel on the Twitter API at SXSW, that sadly no one from Twitter in Austin knew about, the mood was pretty dim. I said to the room that we expected more from Twitter.

Then over the weekend, Ryan clarified: “we are saying it’s not a good business to be in but we aren’t shutting them off or telling devs they can’t build them.” There’s still plenty of uncertainty, but that’s a more hopeful message. I collected some additional “related tweets on tweetlibrary.com”:http://tweetlibrary.com/manton/twitterapirules.

Many people during SXSW asked me what this means for Tweet Library. Is Tweet Library a mainstream Twitter client? It has all the basic features of a normal client, but no, not really. It’s meant to be something more, something unique that solves problems no one else is working on, least of all Twitter.

I’m a little discouraged, but not enough to stop. I owe it to my customers to finish what I started: to fix bugs, add new features, polish the rough edges, and make Tweet Library the best app on the Twitter platform.

Deprecation mentality

Today, Twitter starts “shutting down basic authentication”:http://countdowntooauth.com for the Twitter API. One of my favorite Twitter clients, Birdfeed, will be allowed fewer and fewer requests until finally at the end of the month it stops working. Likewise for Birdhouse and Twitterrific 2. And the same for my “Wii Codes”:http://wiitransfer.com/codes/ site, until I have a chance to update it.

“Dave Winer wrote a fairly negative essay”:http://www.scripting.com/stories/2010/04/26/theToxicCoralReef.html a few months ago on this so-called OAuthcalypse:

“When Twitter breaks all the apps in the OAuthcalypse, they will break all of mine, and I have no intention of fixing them. I don’t expect anyone to care. But what you should think about is how many of the Twitter apps that you do care about will break and how many of them will say the hell with it? And how many of them will be around for the next time Twitter breaks everything, because that’s certainly coming unless Twitter develops some kind of philosophy about itself as a developer platform.”

I didn’t want to agree with him at first — I’m a big fan of nearly everything Twitter does — but it’s a fair question to ask whether backwards compatibility is getting the attention it deserves. Software moves fast, but this kind of thing hurts users, not just developers.

In the desktop world, OS APIs are unlikely to change so severely, and if they do you always have the option to run an older version of the OS or app indefinitely. For web services, though, you can’t keep an older copy of the internet around. Web apps are forced upgrades.

I’m not sure there’s a solution to any of this. It’s just part of tech progress, like moving data from old floppy disks to CDs to hard drives to the cloud. But it’s a bummer when apps get left behind as APIs are obsoleted. Over-aggressive deprecation was common in the Rails world, and “I was not a fan”:http://www.manton.org/2009/01/rails_4_years_later.html.

So, here’s to the future, Twitter. Keep new API changes versioned and maintain the old stuff. If this OAuth switch is a one-time cost, developers can focus on what makes their apps unique instead of always playing catch-up.

Dave Winer rethinks auth

“Dave Winer proposes”:http://www.scripting.com/stories/2009/01/05/rethinkingAuthentication.html a simple solution to revoking authentication in web services:

“Now imagine that Twitter had a page that showed all the IP addresses that have used your login in the last 30 days, with a start date for each and a count of calls made. I bet you could figure out which one was The Greasy Spoon Group, pronto. Further suppose there was a checkbox next to each IP address. You could uncheck that one, click Submit, and voila, no more spam from your account.”

There are important things missing here, such as not sharing your credentials, but I have to admit I do like the simplicity. If the hostnames were grouped by user agent, the UI wouldn’t even be half bad. If nothing else, maybe this will light a fire under OAuth implementors to get moving. (And I count myself in that group too, since I’m involved with some services that need OAuth pretty badly.)

If you “string together tweets from Alex Payne”:http://search.twitter.com/search?q=&ands=oauth&phrase=&ors=&nots=&tag=&lang=all&from=al3x&to=&ref=&near=&within=15&units=mi&since=&until=&rpp=50, it makes for an interesting narrative about OAuth too.