Sign in with Twitter

Recently Twitter updated their API Wiki with a new “Sign in with Twitter” page that explains OAuth in more detail and provides several “Sign in” buttons. This created a big buzz with ReadWriteWeb, TechCrunch, Mashable, and others all calling it a new entrant in the portable ID sector (OpenID, Facebook Connect, Google Friend Connect, etc.). I called BS on this as I saw the authors were premature in their predictions (plus all commenters on these stories).

One author, whom I highly respect, contacted me directly asking what my take on the story was. Here is my response (with slight modifications):

Not sure of your technical level, but I’m going to breeze through this.

There are two fundamental open source credential mechanisms – OpenID and OAuth. Most “single sign on” is based on OpenID or a variant (both Google and Facebook are embracing and extending here). The problem with OpenID is that it is http based and actually requires you to visit the issuing site to supply your credentials. This won’t work for every case, such as mobile apps or basically any non-web app. This is what I refer to as the OpenID dilemma.

With OAuth, the login process is decoupled further. So if you are on a mobile app and attempt to sign in with twitter, the app will tell you to visit to complete the process. You visit and are presented with a dialogue saying “so and so app is requesting authorization”. At that point you approve or deny. Once approved, the mobile app forever more has the ability to access your twitter account. As far as I know, the first large adopter of this is Flickr. It is sort of ironic that Twitter actually began the OAuth efforts years ago.

In the twitter API, the OAuth calls have been available ever since I started developing my own twitter tools. So I always wondered why OAuth was never forced on third party developers (I think this was just a smart business decision). So now we have thousands of third party twitter apps that request your username/password for use and you have no idea how reliable the apps are or the people behind them.

In an effort to increase OAuth usage, twitter added the “sign in with twitter” buttons (and also gave the OAuth calls more prominent placement on the main API page). There really isn’t anything new here except a few graphics and twitter providing a little more documentation on OAuth. You can see an example of how it actually works at

So the bottom line is OpenID is used more often as a “single sign on” and OAuth is used as a security measure for API calls. This doesn’t mean OAuth CAN’T be used as for “single sign on”, but I highly doubt that it will.

Twitter is being extremely cautious with their model right now so throwing down the gauntlet of a new “single sign on” really doesn’t make sense. I have no inside information, so I could be totally wrong here.

If you have any insights on this, I would love to hear them.

New Downloads Page

Instead of updating each post with new download versions, I’ve consolidated all builds onto one page – Downloads. I have also added the mozconfig file I’m using to build the Intel Optimized Shiretoko as many have requested. I would really like to get feedback on it so that future builds get faster.

I’m not quite ready for nightlies (but getting there). I’ll also be adding some iPhone apps with provisioning shortly. I’m not going to deal with the app store just yet.

I also have some WordPress plugins that I want to release. So those will be available shortly as well.

Squirt: Auto Updating WordPress Plugins

Am I missing something with the auto-updates for WordPress plugins? When I try to do an auto-update, I get a page asking me for the ftp(s) info for my server. I’m expected to:

  1. send ftps info unencrypted through the browser
  2. send my credentials to an untrusted third party
  3. open up my firewall so any ol’ IP can ftps to my server


Firefox 3.1 Intel Optimized Build



Update: Shiretoko 3.1b4pre is now available, some new numbers and a slightly updated FAQ.

BeatnikPad has been offering G4/G5/Intel optimized builds of Firefox 3.0.x and earlier for a number of years now and I’ve grown somewhat reliant on them. This has been a great service to the Mac community and I really appreciate all of Neil’s efforts. He is not only timely with the builds, but is very good with user support as you can see in his comments.

I’ve been using WebKit, Minefield, and increasingly Opera as my main browsers for a while now (and Bon Echo (Firefox 2)) and have recently been running Shiretoko (Firefox 3.1) to take advantage of TraceMonkey. But I’ve been longing for an Intel optimized build and haven’t found one, so I’ve made one.

Shiretoko 3.1b3pre had a SunSpider JavaScript Benchmark of 1333 and Shiretoko 3.1b4pre clocks in at 1449. The regex engine is vastly improved, while 3d/access/math took a hit. I think I can optimize further with the browser config, but don’t have time at the moment.

I’ve also made a few adjustments to the default config, namely turning on TraceMonkey and other minor tweaks to eek some additional speed out.

Go To Downloads Page

Mini FAQ

What’s the deal with all these weird names?
Non-official builds cannot use Firefox branding. I guess I could call it something else, but everyone in the dev community knows this particular version as Shiretoko.

Is Shiretoko Japanese for something?
Yes. Since dev builds are named after parks and this one is named after the Shiretoko National Park in northern Japan. (thanks Mike).

Is this going to break my existing Firefox?
No. You just cannot run them simultaneously.

Will my add-ons work?
Maybe. Firebug works and that’s all that matters to me.

Will you be doing nightly builds?
Yes. Since there is the demand for it, I will start nightlies once my current data crunching project is finished (I cannot interrupt this project every night). I expect to have this done by the end of March.

Will you build for different architectures?
No. Intel is where it’s at.

Off To Japan

I finally realized I was about 7,000 miles from home in a foreign county.

I was in bed reading, trying to get tired at 2:30, when the call came. I needed to get to Japan immediately. I packed as fast as possible and headed to the airport without even a ticket. The prices at the various airlines were outrageous topping out at $4,500. A quick web search got me a ticket for $1,200.

Twenty hours later I arrived at my in-laws. With severe jetlag and sleeping pills flowing through my body, it all felt like a dream. Two days later I finally came to the realization of what had happened.

I won’t go into the details of why I’m here, but the trip was absolutely necessary.

I’ll be on a brief hiatus from blogging while I’m here but will continue twittering.