Twitter shut off basic authentication in August. Yet, that did not put an end to sharing one’s password with other services. Mobile apps still request your credentials, as opposed to redirecting to Twitter as part of the “OAuth dance.” And the same was true with Apple’s Twitter integration. Why aren’t some playing by Twitter’s new rules?
According to a tweet from Twitter’s Ryan Sarver, Apple’s service uses xAuth, a derivative of OAuth. With xAuth the username and password is passed only once, in order to retrieve an OAuth token. From that moment, the process is the same as OAuth. The password is not meant to be stored by the third party.
Only approved applications can use xAuth, according to Twitter’s page on the topic:
xAuth access is restricted to approved applications. If your application is a desktop or mobile application and the standard web OAuth flow or PIN-code out-of-band flow is not right for you, send a detailed message to firstname.lastname@example.org to request xAuth privileges. Include the name of your application, the consumer key, the application ID (if available), and a summary of how xAuth is best-suited for your application.
It’s not obvious how Twitter’s xAuth relates to the burgeoning XAuth lauded by open web advocates.