Some of you may recall back in 2009 when there was not one, but two Twitpocalypses. As a quick refresher, it was an issue with the unique identity number for tweets and the 32-bit signed and unsigned integer limits. Twitter recommended developers switch over to 64-bit, which they did, and now we’re a long ways away from another issue like that (I’m told something like 316,887,646 years, in fact). But a new issue is much closer: OAuthpocalypse!
Starting on Tuesday, Twitter is going to begin phasing out the Basic Auth support that third-party developers have been using for a long time. Beginning on August 31, they will no longer be able to use it at all to connect third-party apps to Twitter. Instead, they’re being asked to use OAuth, the more secure version of authentication.
And actually, Twitter actually did a quick test of this move today. Here’s what developer advocate Taylor Singletary notes in the Twitter Development Talk Google Group:
You may have noticed that we temporarily shut basic authentication off today for 10 minutes. We gave minimal notice today, and recognize that more notice would have been optimal. We will be doing these integration tests a few more times before the total deprecation date.
Another such test will take place on Monday.
Twitter let users know about this bigger switch was coming a while ago, the update today is more to get everyone on the same page and give a firm timetable. Here it is:
- Basic Auth will be completely shut off on August 30th.
- Beginning Aug 17, basic auth rate limiting will decrease by 15 requests
on each week day (10% drop per weekday)
- Aug 16, 8am Pacific – we’ll shut basic auth temporarily off for 10
- Aug 31, 5pm Pacific – we’ll shut basic auth temporarily for 10 minutes
- On August 30th, all basic auth requests will be served with a 401 HTTP
If you’re a developer concerned about the transition, read over Singletary’s post or check out this page. But this move shouldn’t be taken lightly, as Singletary notes:
We’ve discussed at length in the past why this transition is important. We recognize that it significantly increases the difficulty of working with the Twitter API. OAuth is not a silver bullet for security, but protects our users and the platform ecosystem notably better than basic authentication.
The move to OAuth is probably overdue for Twitter. But they’re moving quickly after this. I’m told the move to OAuth 2, the even more secure new version, is already in the works.
Smells like victory.