OAuthcalypse

So, I have a twitter/status.net app that I use to consolidate all the micro-blogs I’m on and produce a single timeline in a sidebar of my news page. It was originally written as a python plugin for pyblosxom, which runs the rest of the site. It turns out that this causes huge delays in producing the page though and I eventually rewrote it in javascript.

This is really nice because it all runs client-side and can take its sweet time to pull in the feeds without affecting the rendering of the bulk of the page. It grabs the friend feeds so it needs to login to the various sites, and it uses http basic auth for this. Nice and simple.

I’ve just learned of the coming OAuthcalypse though, where the basic auth method is going to be disabled, and this presents me with a quandary. I need to update my app to use OAuth, there are three ways I could do this:

1) Implement OAuth in javascript. This is a really bad idea. OAuth uses a secret key, and as javascript has to be sent to the browser in plain text it wouldn’t remain secret for long.

2) Move the app back server side and implement OAuth in python. Again this is a bad idea, I moved it client side for a reason, and putting it back server side would give me unacceptable performance.

3) A hybrid approach where the OAuth is done server side, and the requests themselves remain javascript on the client. Having had a brief look at how OAuth works I think this might be possible. It will still slow things down, but it might be good enough. It’s going to be a pain in the arse to implement though.

Well, at least I know what I’m doing with my Bank Holiday.