Yes. (It could also help you get rid of passwords entirely too.) On Friday, July 24, 2009, Ethan Jewett <[email protected]> wrote: > In my relatively uneducated opinion, one major security benefit of using > OAuth for client apps is that the client is only provided with an access > token for the service and not the user's password. > If the access token and consumer secret are compromised, then either can be > revoked, either by the user (in the case of the access token) or by the > provider (in the case of the consumer secret). In most provider > implementations a request authorized with an access token is not allowed to > update certain aspects of the user's account, such as the password. > > If the client requires the user to input their password (for example, > Google's ClientLogin protocol) and the client becomes compromised, then the > password is exposed, allowing full access to the user's account. Game over. > > In my mind, this is *the* reason I want clients I use to use OAuth rather > than a username/password login scheme. > I would be happy with another token-based login scheme as well, but OAuth is > a perfectly good, publicly reviewed standard and I see no reason why a > provider should cook up a bespoke token-based authorization scheme when OAuth > is available and works for clients. > > Ethan > > On Fri, Jul 24, 2009 at 9:24 AM, Zhihong <[email protected]> wrote: > [...] > > In my opinion, you don't add much security by using OAuth on client > because there is no way to keep the secret. However, many people still > do it. It may raise the hurdle for hacking a little, but not much. > > [...] > > > > Zhihong > > > > >
--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
