On Apr 24, 1:29 pm, Dossy Shiobara <[email protected]> wrote:
> On 4/24/09 1:18 PM, Zachary Voase wrote:
>
> > The point I'm trying to make is that this is an intractable problem; I
> > don't know how to explain it in clearer terms than this: the issue is
> > one of being able to read the user's mind and find out if they are who
> > they say they are. The two-point solution I'm trying to push ensures
> > that requests are as authentic as possible.*Any* solution will be
> > heuristic because of the architecture on which OAuth works (a
> > combination of HTTP, TCP/IP, and Homo Sapiens).
>
> It's not an intractable problem. There's no mind-reading required, just
> a design that isn't flawed by design.
>
> I have yet to see anyone explain why my proposal of authenticating with
> the SP _first_ before starting the authorization flow with OAuth does
> NOT eliminate this risk _completely_. Someone please shoot a hole in
> the idea if it's at all possible.
I'm pretty sure it does. Let me see if I can sketch out the scenario:
1. user goes to photoeditor.com to edit some photos. photoeditor.com
gives me a menu of "partners" that I can use photos from: Flickr,
Picasa, etc.
2. I select Flickr and I am immediately sent to to sign into my
account (using my Flick user/pass).
3. Now instead of sending me back to photoeditor.com, I am forwarded
to the Flickr OAuth page where it asks "do you want to continue on to
photoeditor.com"?
4. I click "yes," and I am forwarded back to photoeditor.com fully
able to edit my Flickr photos.
Is that possible? I'm not sure it matters what order things are done
on at the SP -- the basic idea is that the A & B steps are collapsed
down into *one* step, all of which happens on the SP.
Apologizes if it is an obviously flawed idea -- just trying to get my
head around it.
--peter
>
> --
> Dossy Shiobara | [email protected] |http://dossy.org/
> Panoptic Computer Network |http://panoptic.com/
> "He realized the fastest way to change is to laugh at your own
> folly -- then you can let go and quickly move on." (p. 70)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
