Nathan Beach wrote: > Google has enhanced our OAuth approval flow to significantly improve > the user experience for installed applications that use OAuth to > access our GData APIs. Perhaps I'm missing something, but doesn't this kinda saw one of the legs off of OAuth?
This approach basically is: Everyone gets in using the same key, we'll do our best to keep users from using your app, but if they do, you'll be able to get their info. We may be the off case, but we're actually kind of interested in using the two legged approach so that we can validate developers and grant some customers adjusted rates. What this approach says is "There's no way to secure the first leg of OAuth, so we're going to ignore that." Frankly, it kind of makes me wonder why bother using OAuth at all? Couldn't you simply create a new auth protocol where an app uses https to connect and "authorize" and then stores a returned token set you can use to validate future requests? It may just be that there are certain environments that one can't do OAuth. I'd rather that folks use a different auth mechanism for those than further confuse the standard. I really don't want to be a protocol dork here, but this sets off a good many paranoid bells in my head. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
