PSA: If you use Twitter to sign in to stuff, you should double check you have another way to get in to those accounts asap. With Twitter charging ??? for API access next week, you have no way of knowing whether the apps you use are going to pay that.
Monetization can be enforced at api gateway. but depends on how profile api proxy is configured at twitter’s gateway. Is it bundled with other “pay for” APIs? if yes, then good luck to folks who have this capability enabled as a RP where twitter is IDP. hello @elonmusk…
umm, putting a paywall to developer portal access is one thing, but invalidating already released tokens (which WILL expire), clientIDs and secrets specially for profile sharing flow is just plain stupid. Twitter does now “own” its user profile data, users do. I see lawsuits.
I mean, has anything they've done made sense? They don't support OIDC which means you have to use the same OAuth developer portal to get API access and use Log In with Twitter. Are they going to separate the two by next week?
Is @Twitter also monetizing OIDC/Log In capability? That does not make sense. They are just acting as an identity provider in this context and I’m not sure putting a paywall for user initiated profile sharing consent to 3rd parties is a right move. @elonmusk?
I feel like this applies to all “Sign in With” services (except indieauth of course ;)). I love the move to try and kill the password, however the state of these services is insane. I’m 1Pass for almost everything these days.
Very good advice.
If you want a list of all the apps you granted some Twitter permissions to, visit twitter.com/settings/conne… - I discovered some i don’t often use, hence not in the sessions list, that I would have been locked out from at the next login attempt
also: can we start talking about how “sign in with” almost ANY identity provider whose URL uses dns is vulnerable to this over long periods of time (took 15years for twitter rugpull but look where we are now)