Below is a mock-up of how I’d like to see Twitter implement fine-grained application permissions.
To create this badly photoshopped image for my DevNest talk, I took Facebook’s Connect dialogue and spliced it with Twitter’s new design for their Anywhere platform.
Take in its beauty, and then I’ll explain …
This image is a mock-up – it is not Twitter, or TweetDeck official. (just covering my back, ok?)
Extended permissions
Note the icons on the left, particularly where it states you are granting permission for the developer to access your direct messages and tweet from your account. Does the app you’re accessing need to do perform these actions? If it needs to do one thing, should it be able to do all things? I caused a minor storm when I pointed out that any application you authorize can read your DMs. This is why Twitter (if they want to conquer the mainstream) need to follow in Facebook’s footsteps.
Facebook call this approach ‘extended permissions‘. Currently the Twitter API only supports two access levels: read-only, or read+write. For example: Read access would be required to access your direct messages. Write access would be required to send them from your account.
This access level decision is taken by the developer, not the consumer, and it’s currently very badly expressed to the connecting user via the UI. It’s worth noting that extended permissions are not a part of the OAuth spec itself, rather they are an extra layer on top that is specific to the vendor. Perhaps it should be a part of the spec.
Whether anyone questions an application’s need for write access is an issue in itself, but this is compounded by the fact that write access basically means maximum access. My site TwitBlock needs write access to report spam, but I don’t need (or want) to be able to tweet from your account any time I like.
Reporting applications
Note the ‘report this application’ link in the mock-up – Remember Twifficiency? Not the first auto-tweeting app I’ve grumbled about. Regardless of the case specifics, application developers need to be responsible for what their application does.
OAuth means that Twitter can trace any API access back to the application owner, and revoke access. A good start, but it’s not easy [enough] to report a Twitter application. Facebook have a ‘report’ button on connect dialogues and application profile pages. Twitter require you write out a support ticket. How many people know how to get to that page?