And how is it any different from an OpenID request without association? The RP has to go over to the IDP and ask it if the signed request is valid (as opposed to if the token/secret pair is valid and authorized).
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Eran Hammer-Lahav > Sent: Friday, April 17, 2009 7:37 AM > To: [email protected] > Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter > > > How does this distinction make this solution any less secure? What > exploits are possible here and not, say, using OpenID or HTTP Basic > Auth? > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > Behalf > > Of Breno > > Sent: Friday, April 17, 2009 7:33 AM > > To: [email protected] > > Cc: OpenID user experience; DiSo Project > > Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter > > > > > > Sorry, Eran, but it is not an authentication protocol. An > > authentication protocol must be signed by the authenticator, not by > > the authentication requester. > > > > > > > > On Fri, Apr 17, 2009 at 12:26 AM, Eran Hammer-Lahav > > <[email protected]> wrote: > > > Of course it is an authentication protocol. You make authenticated > > API > > > requests. It is also a delegation protocol in the way usernames and > > > passwords are exchanged for tokens. > > > > > > > > > > > > The only thing it doesn't have that OpenID has is discovery, but > > since it is > > > a single vendor solution, it doesn't need any. > > > > > > > > > > > > My thoughts [1]. > > > > > > > > > > > > EHL > > > > > > > > > > > > [1] http://www.hueniverse.com/hueniverse/2009/04/twitter- > connect.html > > > > > > > > > > > > From: [email protected] [mailto:[email protected]] On > > Behalf Of > > > Dirk Balfanz > > > Sent: Thursday, April 16, 2009 10:57 PM > > > To: OpenID user experience > > > Cc: [email protected]; DiSo Project > > > Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with- > Twitter > > > > > > > > > > > > Is this Sign-in-with-Twitter supposed to be to sign into other > sites > > using > > > your twitter account, as in "sign into myhealthrecord.com using > your > > twitter > > > account"? > > > > > > I don't think that's secure - OAuth is not an authentication > > protocol. > > > > > > Dirk. > > > > > > On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens > > <[email protected]> > > > wrote: > > > > > > The nascar situation is akin to the difficulty in handling share > > > (digg/facebook/email/myspace/buzz/etc/etc) options for content. > > Everyone has > > > it on content pages, but it's almost impossible to guess which > subset > > of > > > sharing sites you can show without overwhelming people (actually > > there is a > > > hack to figure out which of them have been visited, but anyway...). > > Really > > > all you can do is choose 3-5 of them that work well and provide a > > link for > > > more. > > > > > > For choosing which identity providers, that means I'll pick Google > > > openid+oauth, Facebook, and Twitter to feature (and offer others > > > secondarily). It's unfair and leaves out major players, but at > least > > I know > > > those offer my users solid authentication and pass basic user > > attributes so > > > I can make an account for them without a lot of trouble. Hopefully > as > > people > > > start to use these the most reliable, seamless experience will win > > and > > > identity will settle around a few major players. > > > > > > > > > On 4/16/09 4:21 PM, "Chris Messina" <[email protected]> > wrote: > > > > > > Just wanted to point out that Twitter is now offering sign-in with > > one's > > > Twitter account using OAuth: > > > > > > http://apiwiki.twitter.com/Sign-in-with-Twitter > > > > > > And, as if we didn't have enough buttons for the NASCAR [1], you > can > > now use > > > Twitter's button: > > > > > > http://twibs.com/oAuthButtons.php > > > > > > Oh, and it might interest some folks that there are interesting > > conversation > > > going on about Twitter's authorization interface: > > > > > > http://groups.google.com/group/twitter-development- > > talk/browse_thread/thread/0a1739326384dac6?pli=1 > > > > > > Chris > > > > > > [1] http://tr.im/fj_openid_nascar > > > > > > _______________________________________________ > > > user-experience mailing list > > > [email protected] > > > http://openid.net/mailman/listinfo/user-experience > > > > > > > > > > > > > > > > > > > > > -- > > Breno de Medeiros > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
