Another way to look at it, from the opposite angle: If I change my Twitter password on Twitter's site, my app will continue to work without additional interaction if it's coded with OAuth.
On Fri, Jul 31, 2009 at 08:41, Christopher St John <ckstj...@gmail.com>wrote: > > On Thu, Jul 30, 2009 at 6:07 PM, Bradley S. > O'Hearne<brad.ohea...@gmail.com> wrote: > > > > I really want to hear stated, or read on a FAQ, is the pre-requisite > > security trust, that in that scenario, it necessarily makes OAuth > > superior to basic authentication. > > > > The problem here is that you're paying attention, instead > of just accepting "oauth is better because it is!" statements :-) > > For desktop apps (and in any case where the application has > has control of the UI and/or your computer) OAuth has no > security advantage (since the app can snoop the interaction) > I'm sure bad people are working on a way to make this true > in browser apps as well, but I don't know of any examples. > > For web applications, many commentators acknowledge an > increased risk of phishing as a potential problem with OAuth, > although I haven't personally read any studies that indicate > whether it's a theoretical or practical problem at this point. > > In any case, the primary benefit in OAuth is not protecting > the user immediately from an evil application (since the > authorization tokens an OAuth server hand out are just as > powerful as passwords and must be protected like passwords) > it's that: > > - the owners of the service can (in theory) administratively > ban an application without forcing all the users to change > their passwords (a potentially very big benefit, maybe the > single benefit that justifies the general inconvenience) > > - an individual user can ban an application by revoking its > authz token without having to change their password (a > moderate-at-best benefit, since you could always just > change your password) > > - an individual who is using exactly the same password > at many sites doesn't have to expose out their mono-password > to an app (people mention this a lot, but come on, should > security system try to make people feel better about hitting > themselves on the head with a hammer? but this gets > mentioned a lot, so there you go) > > So, the security picture is actually a little fuzzy. There are > some big wins for service administrators, some real (but > medium-sized?) wins for users, some fundamental limits > of applicability (web-apps only) and some open questions > about phishing and snooping. And lots and lots of hype :-) > > > -cks > > > -- > Christopher St. John > http://praxisbridge.com > http://artofsystems.blogspot.com > -- Internets. Serious business.