On Mon, 24 Aug 2009 22:06:21 +0530 srikanth reddy <srikanth.yara...@gmail.com> wrote:
> > Sign in with Twitter isn't conceptually compatible with the design > > of OAuth authentication, but it makes an attempt to deliver on what > > the consumer expects from it. > > > i am not sure i get this But from Desktop app point of view it > perfectly makes sense. You do not ask the user to login again rather > you use the stored tokens . For a desktop, the consumer app lives on the same machine that the end user is using. In that case, the only reasons to use OAuth instead of Basic would be that an HTTPS connection cannot be reliably established or the server application has stated that it intends not to support Basic after some time. That's not the target use case for Oauth Authentication, which was designed so that end users could delegate a third party to authenticate as the end user and act on his behalf. Authentication there means allowing the app to authenticate as the user, which makes it a needless complication for a desktop application, and counter intuitive for a Consumer who is expecting "Authenticate the End User to me" instead of "Authenticate me to the Service Provider as the End User." That is why there have been such hacks to get it to work with iPhone and why there are still "open issues." There is acknowledgement in the spec that Service Providers should not trust the Consumer Secret, but good luck educating end users not to approve a token unless they initiate the request. Paradoxically, probably because of the length of the distribution cycle, desktop apps seem to have been among the first to implement OAuth. Chris