I think this ends up being kind of a philosophical debate with no right answer. I agree with you that the ideal solution is the external web browser loading the provider's page so that the user never types their credentials into a site or window that isn't the one that belongs to the service.
But because these are AIR applications and they're already running in a trusted environment, it seems like the user already trusts the application not to do anything harmful and so from a UX standpoint, just using AIR's HTML component is a better solution. My 2 cents. =Ryan [email protected] On Sun, May 2, 2010 at 1:44 PM, [email protected] < [email protected]> wrote: > > > Anyone know of a good solution for OAuth and AIR. I've seen oauth-as3 and > am not to confident this is the right solution. I primarily feel this way > due to the lack of external browser loading during token verification. > > >
