Twitter a Hot Princess, Google an Empty Castle

Over the past two years I have been arguing that the problem with supporting OAuth 1.0 signatures wasn’t with the signatures, but with the lack of value in trying to figure them out. The primary argument made by the WRAP authors and now the majority of OAuth 2.0 contributors is that signatures are hard and developers are stupid. This combination, they argued, is costing them developers.

To address this, they argued that the only solution is to remove signatures. I countered that instead of creating a new protocol, the companies complaining (primarily, Google, Microsoft, and Yahoo!) should invest in quality libraries and debugging tools.

My point was (and still is) that if you give developers value, they will fight to figure out the signatures. A couple of weeks ago Twitter discontinued their support for Basic authentication, and what these people said cannot happen, happened. All these developers figured out how to migrate their application to OAuth 1.0. That despite the lacking Twitter developers support, alleged bugs, and other complaints about Twitter’s implementation.


Don’t expect knights to battle dragons if your castle is empty. Twitter put a hot blond (or brunette) princess (or prince) in their castle, and their (API) knights fought the evil (signature) dragon and got their reward. Google and the rest of the big web providers with their useless offering of boring APIs left their castle empty.

Guess what! The kind of knights who come to fight dragons living in empty castle are there for the fight, not to do something useful. Yes, battling dragons is a bitch, but knights tend to forget that once they get their happy-ever-after. Give them an empty castle and they will do nothing but obsess about their battle scars.

Why does this matter? Because without signatures, there can be no secure discovery and less open web.

4 thoughts on “Twitter a Hot Princess, Google an Empty Castle

  1. Can you tell me, which variant of oauth 1.0 they are using now. i couldnt found much tech info reagrding “how twitter using oauth and changes they made” , also i have one query “can i use oauth, just for validating calls of consumers(third party app developers) towards service providers(platforms like facebook,rediff etc.) ?”

    Thanks for the post it was surely intutive.


      • Hey, Many Thanks for the Reply!
        I am very confused with the comments/content read on your another Post “OAuth 2.0 (without Signatures) is Bad for the Web” , could you please throw some light on “How Man-In-The-Middle Attack can be prevented by following OAuth standard?”

        It will be great help even if you shared some links where i can find some literature.

        Thanks once again.


Comments are closed.