PSA: If you use Twitter to sign in to stuff, you should double ... • Aaron Parecki

55°F

PSA: If you use Twitter to sign in to stuff, you should double check you have another way to get in to those accounts asap. With Twitter charging ??? for API access next week, you have no way of knowing whether the apps you use are going to pay that.

Portland, Oregon, USA • 49°F

#oauth #twitter

Thu, Feb 2, 2023 4:23pm -08:00

140 likes 139 reposts 11 replies 5 mentions
Have you written a response to this? Let me know the URL:
- Matzebob x0r.be/users/Matzebob
  
  @aaronpk oh no! My Vero account...!
  
  Fri, Feb 3, 2023 12:03pm -08:00
- horseyfeelings twitter.com/horseyfeelings
  
  Monetization can be enforced at api gateway. but depends on how profile api proxy is configured at twitter’s gateway. Is it bundled with other “pay for” APIs? if yes, then good luck to folks who have this capability enabled as a RP where twitter is IDP. hello @elonmusk…
  
  Fri, Feb 3, 2023 6:49pm +00:00 (via brid.gy)
- Dick Hardt twitter.com/DickHardt
  
  Logging in with Twitter is calling the profile API - hard to imagine how they will easily allow that specific API call be free and not others.
  
  Fri, Feb 3, 2023 3:31pm +00:00 (via brid.gy)
- horseyfeelings twitter.com/horseyfeelings
  
  umm, putting a paywall to developer portal access is one thing, but invalidating already released tokens (which WILL expire), clientIDs and secrets specially for profile sharing flow is just plain stupid. Twitter does now “own” its user profile data, users do. I see lawsuits.
  
  Fri, Feb 3, 2023 12:54pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I mean, has anything they've done made sense? They don't support OIDC which means you have to use the same OAuth developer portal to get API access and use Log In with Twitter. Are they going to separate the two by next week?
  
  Fri, Feb 3, 2023 5:12am +00:00 (via brid.gy)
- horseyfeelings twitter.com/horseyfeelings
  
  Is @Twitter also monetizing OIDC/Log In capability? That does not make sense. They are just acting as an identity provider in this context and I’m not sure putting a paywall for user initiated profile sharing consent to 3rd parties is a right move. @elonmusk?
  
  Fri, Feb 3, 2023 4:38am +00:00 (via brid.gy)
- Brandon Trebitowski brandontreb.com
  
  I feel like this applies to all “Sign in With” services (except indieauth of course ;)). I love the move to try and kill the password, however the state of these services is insane. I’m 1Pass for almost everything these days.
  
  Thu, Feb 2, 2023 5:04pm -08:00
- David Celis xoxo.zone/users/davidcelis
  
  @aaronpk FWIW, OAuth appears to be treated separately from APIv1.1 and APIv2. it’s feasible that it will keep working for free. but it’s anybody’s guess at this point https://developer.twitter.com/en/docs/api-reference-index
  
  Thu, Feb 2, 2023 5:02pm -08:00
- Jonathan Frederickson jawns.club/users/jfred
  
  @aaronpk Oh lord are they charging for their *oauth* APIs too? That would be... incredibly short-sighted
  
  Thu, Feb 2, 2023 4:58pm -08:00
- Johannes Ernst social.coop/users/J12t
  
  @aaronpk I get the feeling Twitter doesn't know either.
  
  Thu, Feb 2, 2023 4:25pm -08:00
- Aaron Parecki aaronparecki.com
  
  You can review the list of apps you've connected to your Twitter account here:
  
  https://twitter.com/settings/connected_apps
  
  Thu, Feb 2, 2023 4:24pm -08:00
Other Mentions
- Peggy K twitter.com/PeggyKTC
  
  Added by @DickHardt "Logging in with Twitter is calling the profile API - hard to imagine how they will easily allow that specific API call be free and not others."
  
  Fri, Feb 3, 2023 6:32pm +00:00 (via brid.gy)
- Vittorio twitter.com/vibronet
  
  Very good advice. If you want a list of all the apps you granted some Twitter permissions to, visit twitter.com/settings/conne… - I discovered some i don’t often use, hence not in the sessions list, that I would have been locked out from at the next login attempt
  
  Fri, Feb 3, 2023 2:35am +00:00 (via brid.gy)
- stl-place twitter.com/stlplace
  
  Excellent point. #TwitterAPI #TwitterDependency I added FB sign in for my #medium account (previously it was exclusively sign in via #Twitter)
  
  Fri, Feb 3, 2023 2:01am +00:00 (via brid.gy)
- mastodon.social/@bengo twitter.com/bengo
  
  also: can we start talking about how “sign in with” almost ANY identity provider whose URL uses dns is vulnerable to this over long periods of time (took 15years for twitter rugpull but look where we are now)
  
  Fri, Feb 3, 2023 12:32am +00:00 (via brid.gy)
- tim cappasskey twitter.com/timcappalli
  
  Great opportunity for sites and services to start looking at replacing consumer federation with #passkeys! Check out passkeys.dev for more info.
  
  Fri, Feb 3, 2023 12:26am +00:00 (via brid.gy)

Posted in /notes using quill.p3k.io