Yup, but at least we will only request the master Ubuntu password when connected to the real Ubuntu website rather than passing it to the device unencrypted; only the allowed token is then passed to the device. Maybe that token can only access the store, or it can be revoked, but it feel less of a danger than passing the actual password?
On Fri, Apr 10, 2015 at 3:01 PM, Martin Albisetti < [email protected]> wrote: > On Fri, Apr 10, 2015 at 9:13 AM, Loïc Minier <[email protected]> > wrote: > > Can't we use oauth to auth against the regular Ubuntu SSO site, and > deliver > > a token to the router? That way, you only type your Ubuntu credentials > > against the SSO website (using SSL). (I feel I'm missing something > obvious) > > How would that work? > The user is in a browser remote from the device, with an unencrypted > connection to it. > There has to be some coordination between the browser (user) and the > device, one way or another. Whatever that coordination is, it'll be > interceptable. > > > -- > Martin >
-- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
