On Sun, Mar 7, 2010 at 10:25 PM, Allen Tom <[email protected]> wrote: > This is why the username/password profile is intended for rich client apps, > where invoking a browser is not feasible. Given that the user already > downloaded and installed the rich app, popping open a browser is not going > to protect the user from a malicious app – for instance, a malicious app > could have installed a keylogger before invoking the browser.
I disagree. There are a large and growing number of platforms on which I can install a rich client application and be confident that it will not be able to recover my username and password when I type them into my web browser. To name a few that I use every day: 1. My iPod Touch (non-jail-broken, admittedly) 2. Adobe AIR on my Windows XP system 3. Mac OS X (users and applications do not run as administrators by default) On a related note - What stops a provider from implementing the username/password pattern on top of normal OAuth or WRAP (thereby losing my business ;-)? The token can be pretty much any string of text, so the client could embed the username and password into the token. Ethan _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
