On Mon, 24 Aug 2009 22:06:21 +0530
srikanth reddy <srikanth.yara...@gmail.com> wrote:

> > Sign in with Twitter isn't conceptually compatible with the design
> > of OAuth authentication, but it makes an attempt to deliver on what
> > the consumer expects from it.
> >  
> i am not sure i get this But from Desktop app point of view it
> perfectly makes sense. You do not ask the user to login again  rather
> you use the stored tokens .

For a desktop, the consumer app lives on the same machine that the end
user is using. In that case, the only reasons to use OAuth instead of
Basic would be that an HTTPS connection cannot be reliably established
or the server application has stated that it intends not to support
Basic after some time. That's not the target use case for Oauth
Authentication, which was designed so that end users could delegate a
third party to authenticate as the end user and act on his behalf.

Authentication there means allowing the app to authenticate as the
user, which makes it a needless complication for a desktop application,
and counter intuitive for a Consumer who is expecting "Authenticate the
End User to me" instead of "Authenticate me to the Service Provider as
the End User."

That is why there have been such hacks to get it to work with iPhone
and why there are still "open issues." There is acknowledgement in the
spec that Service Providers should not trust the Consumer Secret, but
good luck educating end users not to approve a token unless they
initiate the request.

Paradoxically, probably because of the length of the distribution cycle,
desktop apps seem to have been among the first to implement OAuth.


Reply via email to