On 26 Mar 2009, at 16:14, Joshua Perry wrote:
>
>
> My friend sent me this blog post [1] (I believe the author is on this
> list) and though I agree with it generally there is one sentence that
> really stood out to me "it's a fantastic solution to _authenticate
> other
> web apps_". After mulling this over I think that this sentence should
> have been the author's final conclusion.
>
Ideally Twitter would have implemented token based authentication from
the start as Flickr did, which would have avoided this whole migration
of authentication techniques.
However Twitter have said that OAuth is their preferred authentication
approach for the future, to roughly quote Doug from Tuesday night's
Twitter Devnest meeting. Given that I feel it is much more confusing
to have one means of authenticating desktop applications and another
for web applications.
For a good desktop OAuth like experience look at the MarsEdit and
Flickr integration.
It is all about the language used on the interfaces
From media panel click link to go to Flickr to authorise Marsedit's
access to Flickr (photos are on Flickr)
Authorise on flickr.com
Back to Marsedit, screen now says using an obvious button, "verify
access" (ie pick up previously requested token)
Click this link, Marsedit in the background gets the token and
refreshes the with your photos from Flickr.
More steps than entering an email address and password, I'll agree,
but this will be the common pattern across both web apps and desktop
apps.
OAuth is also permission based, rather than letting the third party
application act as if it were the person
It is clear what permission are being delegated and no surprises like
tweets being sent without your permission.
With a password based system this is not possible.
One authentication system in the future is definitely to be preferred
in my view to one for the desktop and one for the web.
For another example of how this can work look at Yahoo's Fire Eagle,
which uses OAuth for both desktop and web auth.
I'm not saying OAuth is a panacea, but it is better than handing over
a password.
thanks
Gavin
--
Gavin Bell
w - takeoneonion.org (weblog) and gavinbell.com
e - me at gavinbell dot com
zzgavin most places on the web
