On Sat, Feb 21, 2009 at 6:55 AM, Christian Scholz / Tao Takashi (SL) < [email protected]> wrote: > > > I guess you wanted to link to http://wiki.oauth.net/iPhoto-to-Flickr >
Whoops, thanks! > Would be happy to have a discussion about these current examples, >> especially in light of some of the recent feedback from Twitter devs [1][2]. >> > > So I am wondering in the iPhone case how I can be sure that I am really at > yahoo and not somewhere else. I don't see any URL, whether it's SSL or not > etc. and even if I would this application could of course fake this as well > (which I guess is also the point in [1]). So I agree with [1] that a better > way would be something inside the OS to provide that but that this of course > also might not happen (or at least soon). > Exactly. Changing the OS is a long way off if people want to use these technologies today. As far as the security issues, this is a problem that was discussed recently on the OpenID User Experience list: First message: http://openid.net/pipermail/user-experience/2009-February/000298.html Follow the thread: http://openid.net/pipermail/user-experience/2009-February/thread.html I can't say that we came to a satisfying conclusion. However, one option could be to do the authentication bit in the app, and if the user is concerned about using the built-in browser, offer a link to sign in via the browser. Of course, if it's a nefarious app, they probably will just not include that link, and without UI consistency where people know to look for such a thing, that may be a moot option. Therein lies the argument *against* popping the authentication to the browser: if you're using a nefarious app and have launched it, you're probably hosed already. It's probably just a matter of time before some Jailbroken iPhone app for Facebook proves this point, so we're at a cross-roads between user education and usability. > I also see this more as a problem for e.g. the iPhone where you usually > need to close the application in order to jump to safari. This is not such a > problem on the desktop and (as you demonstrate) has been done for quite a > while with flickr. > Pownce actually did this, and I don't think that the experience was all that bad: https://wiki.oauth.net/OAuth-for-Pownce-on-iPhone With using custom protocol handlers, you can make the experience quite smooth actually. Confining the user to the task at hand is a bit harder, but it's not impossible to handle the case where the user never completes authentication. > I also agree with [2] that authenticating for multiple services might make > this whole process a bit annoying. We might also face this issue in the > proposed MMOX IETF working group[3] if we go with OAuth and in order to > connect to a world you might first need to authorize various services > (profile, inventory, contacts, IM, ...). > Yeah, this is why I advocate for strong identity, and an identity hub that essentially talks to your federated services on your behalf, but is your single point of authorizing third party apps to interact with your stuff. I hope these visual examples help to demonstrate current practices in the wild. I know that this kind of thing freaks us out: http://www.flickr.com/photos/factoryjoe/3260710115/ ...but it's clear that that's not the case for all developers. Chris -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
