On 4/24/09 1:15 AM, pkeane wrote:
> But I still have a sense (as Dossy above suggested) that OAuth in its
> 3-legged form must address the need for an authentication mechanism.
> As Eran said in his post, the three pieces: (A) get request token, (B)
> authorize request token, (C) get access token need to "all" be
> connected. [...]
>
> The weakness is in the A-B connection. There are numerous ways to
> mitigate the risk& I think user experience and security strength are
> inversely proportional. [...]
I agree.
What about this kind of process:
1) Consumer sends User to Provider to authenticate.
2) Provider authenticates User and sends them back to Consumer with
an authentication token.
3) Consumer issues a request token from Provider.
4) Consumer sends User to Provider to authorize the request token.
5) User (already authenticated with Provider) authorizes the token.
6) Provider sends User back to Consumer.
7) Consumer upgrades the request token to an access token from Provider.
Now, the worst-case UX here is two interactions at Provider, one to
authenticate and one to authorize. Note: This is NO different than the
current UX, where the Provider has to authenticate the User before
allowing them to authorize the token in the current spec! I am simply
requiring that the authentication step happen with a different timing
than the current spec does.
The best-case UX is that the User has previously authenticated with
Provider and has previously authorized the Consumer. In this case, the
User is simply bounced back and forth between Consumer and Provider
twice, but requires no actual interaction. IMHO, this is the "ultimate"
good UX possible.
--
Dossy Shiobara | [email protected] | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
