For marketers and non-technical people: basic explanation of Twitter authentication
A couple weeks ago, I wrote a blog post about how Medium's Twitter authentication process could be a bit confusing for users.
Medium kindly responded to my tweet, and pointed me to their FAQ. Their FAQ indeed says that Medium doesn't post to Twitter on the user's behalf. It didn't explain the "why" behind it, besides linking to the Twitter developer site, which was confusing for a non-engineer.
I ended up asking a few friends, and wanted to share what I learned. If you know of other simple explanations, let me know and I'll link to your post from here.
My friend Chris Poyzer, a senior software engineer at Hinge, explained it here:
"What you're investigating is an OAuth (open standard for authorization) authentication process. It's doing two things for the application.First, it shows the application to verify the user through the third party service. In this case, it is Twitter.Second, it opens up access to services allowing the app to act on behalf of the user on the third party.The process is designed in a way that all this is possible without the app knowing the user's password on the third party service.For example, Hinge uses a similar process to register users through Facebook, but the app never knows the user's Facebook credentials.So when you sign in on the third party, you also need to authorize the app that you want to use on your account.And at the same time, the app needs to ask for any and all permissions that it needs in order to work.First, if the app is to tweet at anytime for any reason (with your permission or not), it must have access to post tweets on your screen.So the app is asking Twitter if it can tweet for the user, and that is the permission that you are being presented with.But there's a second part.Once the app has that permission from Twitter, what does it do with it?In Medium's case, they are telling you that they will not abuse this permission -- that they will only tweet when you tell it to.It's a social contract of trust between you, Medium, and Twitter.Now, some apps never actually post on the user's behalf, but still ask for the permission.
This might be because of a couple of reasons. One might be because they are planning future features that require the permission, so they're asking for it now because requesting new permissions will de-authorize the user requiring them to login again; or, more likely, it's sloppy programming."