Twitter, you need to do a better job at communicating with the developer ecosystem that has been formed around your API for the past couple of years.
At least, that’s the message the developers themselves seem to be sending out to the startup at an increasing rate. Jesse Stay from SocialToo wrote something about this earlier today on his blog, criticizing the startup over a change it made to its following limit policy without notifying anyone else prior to the tweak actually being implemented.
Now we’re getting more and more incoming from developers who have noticed that OAuth, an open authorization protocol that Twitter’s been testing in public beta for about a month now, has been “temporarily disabled”. Naturally, Twitter is abuzz with angry and confused third-party application developers, some of which started reporting the fact that oAuth stopped working as early as three days ago. That means some of them have been unable to let new users sign up for quite a while, and although some are saying that Twitter knows about the problem and is working on a fix, silence from the company seems to be the key trend here.
Update: they did respond to a query (again from Jesse Stay) in this group, saying that the problem should be solved in 48 hours. (message from 12 AM, Apr 21)
Meanwhile, Twitter’s lead API developer Alex Payne has admitted that the startup is coping with a ‘big support backlog’ and that they’re trying to hire more people to handle the load.
Update 2: Here is Twitter’s official response. Finally letting everyone in on the secret, it says it took down OAuth because of a security hole.
(Thanks to Adarsh Dilip for bringing this to our attention)
Wow, you really channeled the Dev’s anger in this post. I wonder if Evan will respond to and apologize for this setback…
Wait, so Twitter actually uses the “beta” signifier appropriately, and everyone freaks out when it’s at less than stable release quality?
There is feedback to developers, it’s just not as much information as devs would like. What more do you want than “it broke, we’re working on it, fix coming.” What more than that is even useful?
Plus:
“Twitter, you need to do a better job at [XYZ]”
-> False!
Twitter doesn’t need to do anything. It’s just one more monopoly, like FB and whatever.
Competition is disabled for Twitter. End of story.
your an idiot jaiku is twitters competitor and was bought by google in 2007 so they do have competition its just google sees no use in any such an app the eventually cost of maintaining twitter will rub them out
herman – might agree with you if they had no money or were a super complex app – but they’ve got plenty of funding, and plenty of quality underemployed talent to pull from that they can be tapping into.
That and hire some customer service reps to wade through their backlog of customer complaints (some of which have been hanging unanswered for months).
This one isn’t entirely Twitter’s fault. Techcrunch is apparently missing some sources in the right places.
Stay tuned and this cryptic message will make sense in the next 24-48 hours.
The message is not that cryptic really, and if Twitter knows what’s going on it should probably let third-party developers in on it.
Nope, not in this case.
This comment makes it sound like something deliberate is going on, which is just going to frustrate developers even more. If it effects developers, be transparent about it!
I agree with Foo. There are some things that it’s best not to be transparent about. This is one of them. Give it a couple days.
Yet another twitter related post on TC.
Great comment!
That does not help you at all.
Great Twitter post!
Great comment comment!
This is seriously getting a little sad. There are so many ideas and startups out there, that have not been discovered by the masses, but deserve mention, and here TwitCrunch is, day after day, “informing” us about a company, that is so over discovered, that I am throwing up!
It’s like bringing the same headline first in the 6 o’clock news, day, after day, after day.
/Ulrik.
/Ulrik,
You know, in modern times, it’s not THE job of a reporter to “discover” something worthy. Most of them see their job to win eyeballs, and the resulting revenue for their media.
It’s your job to formulate a “story” that has both mass appeal to the pub’s perceived audience and is attention catching to the reporter.
Regretably, that’s an endeavor of yours, not the reporter’s.
Best Wishes to you.
It’s kinda ironic that Twitter users count on companies to monitor and respond to our complaints, but that doesn’t seem to apply to Twitter itself. Has there been any “official” response someone can point to?
Actually, Twitter is pretty explicit about it. You just need to follow http://twitter.com/OAuth. On Jan 24, it announced that Twitter considered OAuth beta, and based on the fact it’s not updated, so it still is. Even among FOSS, this truth about betas should always kept in mind “use it at your own risk”.
I really can’t believe they would just disable a service like this that everyone is dying for. Makes me question whether I should have re-programmed my website for OAuth. Worst part is that no one is saying anything about it, at least from Twitter’s end.
Active AccessTokens are still usable. But the auth process is down.
My tokens have not stayed active for more than a day or so. They seem to expire quickly so I had to add another layer allowing the user to check their token before they spend time creating a post. I completely agree with the earlier comment that said it was ironic that companies monitor Twitter to ensure there customers are happy but they themselves are a bit above doing this. I spent a week converting my site to OAuth and now I’m dealing with someone who acts like THE CABLE COMPANY and I am out of service!
This unfortunate event has caused us at http://TweetPhoto.com two more days of development to work around this unforeseen issue.
Twitter did not tell anyone in advance they were disabling OAuth. You would think a guy that is connected like Kevin Rose would know about this given he uses Twitter OAuth on http://wefollow.com and no one has been able to login for at least 12 hours.
Our new launch date for http://TweetPhoto.com has been pushed to April 30, 2009.
Two days, really? That’s surprising. Not sure what all your developers have to “work around.” We were able to switch over to a temporary basic auth flow (including design, UI development, and implementation) in a couple hours. Sure it was an inconvenience, but certainly didn’t lock us up for 2 days.
Twitter changed lots of things this past week. My thoughts are Twitter is going same path as FB. Limit cap to 5.000 and than few weeks later , create fan pages and that my friend is how you get celebrities to sign up. Is this good for average joe twitter profile? Not really , is it good for spam ? Hell yeah..
I am very sorry to hear about this especially for the Dev’s from Socialtoo, TweetLater, Twollow, MrTweet without those services twitter would now have less users, less visitors.
To be honest biggest mistake was that they put the freaking suggested user list. And that list is not even algoritmicaly generated , its all hand made, you give some one (hm whoo?…) BJ, Good Blog Post or Few thousands and you are on that list in less than 24hr…
It’s all Ego ….
Hi LiveCrunch,
Had a dinner with Robert Scoble @scobleizer the other day, and we talked spam resistance of social media services and Twitter’s limits on API requests.
He found our approaches in both regards simple and elegant.
He soon said so in public:http://bit.ly/i5Gf8 (although TweetBrain, my latest venture, can do far more. See https://tweetbr...m/home/faq#u145)
Regarding OAuth, we made it extremely clear since the day TweetBrain went live on April 7 – we won’t use it until it’s “field proven”. We respected our engineering team’s inputs, and now we reap the benefits. Please see https://tweetbr...om/home/faq#u35
Might be a temporary glitch (need to wait for Twitter or Foo to fill us in), but always a risk to build your company entirely on another company. See Allen Stern’s blog yesterday:
http://www.cent...another-company
It’s a joke that OAuth was, among others, developed first by Blaine Cook, and, for a short time, they had one of the earliest OAuth gateways. As the spec finalized, they didn’t have the resources to comply with that, so they just shut it down completely.
Now, after a hiatus of a year or so, they re-enabled the service- for a few month it seems…
We’re waiting to adopt OAuth until it’s out of beta for reasons like this. Unfortunately I think the lack of OAuth integration probably does prevent some users from logging in to our service, but most users seem to be relatively trusting.
To me OAuth getting disabled to new account links is a bigger issue than the follow limit control. I don’t like that anyway. Someone automatically following me in the pursuit of me either running a service that auto co-follows or me following people who follow me back so they can expand their influence. Aside from they can still do this in a scaled down capacity, the concept never was part of twitter’s original intent anyway. The timeline is where it all started. But this isn’t about that so let me not stay on that tangent.
I do think better announcements should be made but in their defense, @twitterapi did post April 20th, 6:04 pm Eastern “oauth/authenticate is currently disabled, @guan, please see http://bit.ly/R7HQ4 ^DW”
But I wonder, what’s the best way to contact developers when there’s an issue or change? I run an application that the e-mail address for its twitter page processes all e-mails that come in. Anything that’s not a new follower notification gets ignored by the script it pipes to. @twitterapi makes some notices but not every developer’s following that page. There’s a google group but not every developer’s a member of that page. But even outside of developers, users in general get delayed notifications of things. So yes, improvement does need to be made in communication.
From Twitter API 18 hours Ago…
Sign in with Twitter (oAuth) should be back in a day or two. More details to come at that time. ^DW
Well said only that more then 140 characters
Twitter should be able to clearly communicate the issue and make everyone happy in 140 characters.
I don’t understand why so many problems have Twitter.. Maybe they cannot buy some good hosting service?
I don’t understand have, either.
It is not working on http://www.Splits.org
Relay… and have a fail ale:
http://img.ly/M
Cheers
*.sebastian
Can someone please buy twitter from these amateurs?
Of course Adarsh Dilip Pallian is on top of this. He’s doing incredible work on the Twitter platform.
thanks andrew – although @tweetizen is a big fail whale at the moment.
we’ll be reverting it back to regular login… no more OAuth till they are out of beta.
Hi Robin,
Last week, you asked me why TweetBrain doesn’t use OAuth, I pointed you to our FAQ https://tweetbr...om/home/faq#u35
Now we are not left hanging
I am glad to see that this critical engineering decision of ours is vindicated by your own post.
People shouldn’t be attracted by buzzwords and anything that’s “on the bleeding edge” despite the possible “coolness”. When running a service, the most important thing is to provide robust operation and high availability to customers. To achieve high security without hampering convenience, there are many comparable approaches that are more mature than the still evolving OAuth.
Prudence is highly desirable indeed.
Thanks for getting this out in the open Robin. It seems TechCrunch is the only thing Twitter listens to these days. Great post.
Jesse- Thank you for getting these posts out here. Your post last week that had the video you took with Scoble from last spring was great as well. I am surprised there isn’t a larger backlash with all of these issues. I am waiting for someone to come along and fix all of these issues, do micromessaging better, and steal all of Twitter’s thunder.
Are the comments capped?!
Sounds like there’s some massive security hole they’re busily patching up…
I have to agree with you Max M. There must be some sort of major security isse with Twitter’s OAuth that they didn’t want to tell what is going on for fear people would exploit it!
In 2+ years I’ve never seen Twitter announce a major change before implementing it. Their unstated policy seems to be “implement change unannounced – wait to see if important people notice & complain – adjust accordingly”.
It’s the oddest Development Life Cycle out there for a major player out there… can’t imagine having to dev 3rd party apps for them. Must always feel like living on the razor’s edge.
Regarding OAuth – there are 2 issues with OAuth. The one I was asking about and they responded to (after the fact, even though they knew it was down) is regarding their “sign in with Twitter” feature. The other one, which is OAuth in general, got a response, “more on this in a few”. So the second, and even greater issue, we still know nothing about.
Come on Twitter – we need some communication here!
My understanding is that OAuth for Twitter is in beta–in the true sense of that term, not “Google beta” like Gmail has been for 5 years.
That means, don’t run a production service that relies only on OAuth. It means it’s still has bugs and may not be available all of the time.
Yahoo’s OAuth is down today as well. Coincidence?
http://develope...&#entry3727
Twitter is behaving like the Cable Company! Tweet #Cable Company maybe they will start caring
There is a reason why O
Auth is down for major providers, and all will be made clear soon to the public.
Too bad Techcrunch doesn’t have the sources that I have.
Twitter would be pretty crippled without the apps. If they were smart they would hire these developers and bring the best ones to the inner circle. There are only a small handful of them that are worth anyone’s time at all. SocialToo, TweetDeck, Twhirl, & maybe a couple more I don’t know about.
We resisted the “perceived” pressure from our users to use OAuth right from my venture’s inception on April 7.
We made it clear that we would be OAuth ready but wouldn’t switch to it until we are confident that it’s really “field proven”. Please see our FAQ: https://tweetbr...om/home/faq#u35
The unhealthy “Get it out now” mentality so common among Web 2.0 startups now comes back and haunts them. So, perhaps this experience has a sliver lining to it.
Rome is not built in one day, and we should move fast, but not at the expenses of practicing sound engineering.
I’m glad your principled insistence on proven technology worked out for you. But we’re not that fortunate.
We’re building an application that posts tweets. For the tweet to be attributed to us, e.g. 5 minutes ago from MashLogic, Twitter mandates OAuth. So we’re stuck.
I hope they get this back on track soon.
I really don’t understand what the problem is here. OAuth is in beta. Does nobody understand what that means? Any site that implements OAuth without either explaining to users that it’s in beta and/or providing the alternative of basic auth while that’s the case was simply asking for trouble, and complaining about it like a bunch of whiney school kids is not gonna help. Beta’s are fluid – deal with it!
I’m sure glad the Gmail team doesn’t share your opinion.
If Google had a reason to suspend access to Gmail for a period of time I’m sure you’d complain about that too, but it doesn’t mean you have a valid point.
Let me get this straight. You are building a business off of someone else’s business. You don’t have a contract/agreement/etc with that business. Then you cry foul when they make changes that help their business, but hurt you?
Compound that with the fact hat you are building your business/service off their BETA products and you freak when those services don’t work as advertised?
I’m sorry but it sounds like whining to me. If you need a certain level of service from twitter, then work with them to get one. I am sure money still talks. Until then your sorry freeloading ass get’s what it pays for.. Absolutely Nothing…
If twitter sucks and is incompetent then use a better source. Oh wait, you need their users.
Derek – that’s a ridiculous argument. Twitter benefits as much as if not more than third party services from the existence of those services. Do you think Twitter would be as successful without TwitPic?
Think of how many free services you use in your life that you come to depend on and would be angry if they just changed things underneath you.
So the point is there is a symbiotic relationship between app developers and “platform providers”. Having downtime by itself doesn’t violate that relationship, but massive (48 hours is massive) and unannounced outages are communicating that Twitter doesn’t ACTUALLY care about the devs. (I think it’ll come out that this was a massive security hole, so it will be clear they didn’t have a choice).
Remember Friendster?
Well put, Derek.
here is word from twitter on this issue. I think it was just posted http://blog.twi...with-oauth.html
http://blog.twi...with-oauth.html
Stupid twitter!! I can’t join wefollow and a bunch of other sites that use this. Also their PICTURE upload is broken, and tons of people are complaining. Their support is overloaded, and just got a “too many tweets.” No good!
Right, and here is the “responsible” story from cnet:
http://news.cne...0225103-36.html
I wish Techcrunch would take a few hints from cnet on stories like this.
Except CNet was incorrect that my article was about OAuth.
An email just went out from twitter, here it is:
http://blog.twi...with-oauth.html
In short: there’s a security issue with OAuth, and the major OAuth providers are working together to patch the vulnerability before information about the issue is publicly released. That information will be available at http://oauth.net/ at midnight, PST.
In cooperation with this consortium of other OAuth providers (including Yahoo!, Google, Netflix, etc.), we agreed not to disclose the nature of the vulnerability, nor even that a vulnerability existed, until all members of the group agreed to do so. I apologize for what must have seemed unnecessarily tight-lipped communication around this issue, but please understand that we and the other companies involved are trying to mitigate the impact of this vulnerability as much as possible.
Please also note that our OAuth support is in beta, albeit public beta. We have not suggested to developers that they rely solely on OAuth until our support of the standard leaves beta. I know that some companies practice a policy of “perpetual beta”, but at Twitter, we do not. For us, “beta” really means “still in testing, not suitable for production use”.
Thanks for your patience and understanding.
–
Alex Payne – API Lead, Twitter, Inc.
http://twitter.com/al3x
IMHO, part of the reason why that Twitter is having this OAuth fiasco is that some reporters who don’t have low level protocol and implementation expertise to make judgements popularized OAuth because of its “newness”, “coolness”, or “sensation”.
The following are a few “contributions” from Tech Crunch in this regard. Look at the 4th example that I cited. It was written by Robin too. The rest were by his co-workers:
Jason Kincaid on March 16, 2009 http://www.tech...in-public-beta/
Erick Schonfeld on January 29, 2009 http://www.tech...great-together/
Duncan Riley on October 2, 2007 http://www.tech...oauth-and-apml/
Robin Wauters on January 17, 2009 http://www.tech...-were-morphing/
Everything takes time to mature. I remember back in my Stanford Days, Professor Don Knuth said once that writing software is the toughest endeavor that he had during his professional career. Now you have all these Web 2.0 guys telling you that if you don’t get things done in 90 days, you are dead. Huh? When did this become an accepted engineering practice? Bright as Richard Stallman, he didn’t write Emacs in 90 days! How many of us can match his software brilliance?
To Robin’s credit, at least he wrote up this very article. But to other readers of this article, please remember a reporter’s job is to find attractive stories to generate traffic (and thus revenue). Cynical? perhaps, but it’s true. Deal with it.
Could we loud their step instead as they have taken right action at right time? I know how much it would have sucked if they would have been caught unaware by security hole, and hence impacted lot of developer applications? I am all for them!
IMHO, part of the reason why that Twitter (and others) is having this OAuth fiasco is that some reporters popularized OAuth, drawn by its “newness”, “coolness”, or “sensation”.
Most of them do not have low level expertise/experience with protocol design and implementation, so you really can’t blame them for such “fault”.
For instance, Robin wrote one on OAuth on January 17, 2009. His co-workers Jason Kincaid did one on March 16, 2009, Erick Schonfeld on January 29, 2009, Duncan Riley on October 2, 2007, among others.
Everything takes time to mature. I remember back in my Stanford Days, Professor Don Knuth said once that writing software (in this case, TeX) is the toughest endeavor that he had ever had during his professional career.
Now you have all these Web 2.0 guys telling you that if you don’t get things done in 90 days or less, you are dead. Huh? When did this become an accepted engineering axiom?
Bright as Richard Stallman, he didn’t write the fantastic Emacs editor in 90 days! How many of us can match his software brilliance?
To Robin’s credit, at least he wrote up this very article. But to other readers of this article, please remember a reporter’s job is to find attractive stories to generate traffic (and thus revenue). So, read such rags for your entertainment
Cynical? perhaps, but it’s true. Deal with it.
Heres twitter in a photo nutshell:
Sorry heres the photo not sure why it didnt show up in the first comment
This is very good comment This comment makes it sound like something deliberate is going on, which is just going to frustrate developers even more. If it effects developers, be transparent about it!
Twitter is like a breath of fresh air on the Social Media scene. I have been on it for just a few weeks now and I have met several interesting people. It is a platform to network with people you would like to meet in real life.
http://Spryka.com
If everyone here is so quick to judge, then 1) why didn’t you notice the security issue in the OAuth protocol, and 2) why aren’t you there now trying to fix it?
It looks to me like Twitter did exactly the right thing here. There was a security hole, they shut down their OAuth support to close the hole. Especially since OAuth was in beta, that’s not something you can criticize them for — it’s completely within their rights, and to be expected of a beta service. Then, they took abuse from folks like Robin, and angry developers for a week while other less speedy companies put together a fix. Then they explained what went wrong. What really boggles my mind is how unapologetic Robin is in the final update of the article.
Twitter should read this article, gives pretty good advice on some digital security issues.