I want to build a desktop application that might need to tweet on behalf of the user. If I want it to be simple for the user - just enter the twitter username and password, and everything is fine -, then I have to either ask for the right to do this xoauth stuff or to do things that I’m not supposed to do (like using the username and password in the background to generate an oauth token from the regular webinterface applications aren’t supposed to use), right? Why? Can’t I just use normal HTTP Digest or so?
Basic/HTTP Digest auth is not supported on the API. It would require your application to store username and passwords, which is not a practice we want to enable.