oAuth over xAuth

On May 11, 2010, in Coding, Practises, oAuth, xAuth, by James Brooks

Previously I discussed oAuth via desktop applications, specifically why I chose to use it in iTunesTweet and  a few of the benefits it has over the normal API. In this post I’ll be comparing oAuth over xAuth, explaining the benefits and problems each standard face.

What is oAuth?

oAuth stands for Open Authorization. It’s an open standard which allows users to share data between their system and a server without having to enter their username or password to the 3rd party website. This means that no personal data is stored by the website/application, only tokens which allow the site to contact the service for basic details.

These tokens work only for the user they’re generated by and the specific services and requested resources. - Source.

What is xAuth?

xAuth is a crossover between oAuth and basic API. It takes the basic functionality of oAuth and provides developers with the same token system, but allows them to use the API at the same time.

It’s actually a little bit weird since xAuth doesn’t use any process to request tokens, it simply takes the users credentials, allows you to make an API call and receives the tokens back in return.

Wait, so xAuth takes user credentials, how is this safe?

And this is the downside of xAuth. It requires both user and password in return for access to the API. At first it sounds like you might as well just use the API as it is, and you’re right, you probably should for simplicity, but xAuth provides some what decent security with the full API power.

It’s only safe because it stores the credentials, and even then to relate it to oAuth (known for security) is in my eyes… stupid.

How does it work?

Firstly, you send an email to Twitter API asking if they’ll register your oAuth account with xAuth (seems weird, but okay…). If you get approved, you then need to call the xAuth API method https://api.twitter.com/oauth/access_token with three parameters:

  1. x_auth_username – obviously the requesting username
  2. x_auth_password – obviously the requesting password
  3. x_auth_mode – this needs to be set to client_auth

When you get the tokens back, you should store them as they don’t expire. They can then be used for the API calls, the password can then be dropped. So I guess it has a bit of security.

Just so long as you keep in mind that xAuth is one API call, with no request tokens used, you’ll be fine. Keep in this mind and you’ll be fine!

I actually managed to get a second version of iTunesTweet (me testing) using xAuth in a couple of hours – I had to re-write some of the code to handle the outputs.

0 Comments
Leave A Response

Tagged with: