On Mon, Oct 12, 2009 at 2:53 PM, Jesse Stay <jesses...@gmail.com> wrote: > On Mon, Oct 12, 2009 at 11:01 AM, Ryan Sarver <rsar...@twitter.com> wrote: >> >> 1. What can be improved about the web workflow? >> 2. What can be improved about the desktop workflow? >> 3. What other models of distributed auth do you think we could learn >> from and what specifically about them? >> 4. What could we improve around the materials for integrating OAuth >> into your application? >> > > This is a given coming from me (I wrote O'Reilly's FBML Essentials), but I > strongly recommend looking at the way Facebook is doing it with Facebook > Connect - if you're logged into Facebook and have authorized the app, no > further auth is necessary - you click the "Connect with Facebook" button, > Facebook tells your app it's already authorized (without sending the user > through the authentication or authorization process again), and you can then > give the user a session in your app. It's a simple one-click workflow that > only turns into a more-than-one-click workflow when absolutely necessary.
Twitter already has something similar (one-click login): http://apiwiki.twitter.com/Sign-in-with-Twitter Some devs like this for the simplicity, some don't because it will automatically use the "already logged in account" w/o giving the option to use another account. Whereas most facebook users probably have only one account, I would guess that a larger percentage of Twitter users (while still a small percentage) are managing multiple accounts. -Chad > I also like that their authorization process naturally provides a popup > instead of forcing the app to completely redirect to another site to > authorize. True, you can do this on your own through a window.open() call > of some sort with Twitter, but with Facebook, they provide all the code that > does this process automatically. No worry about backend code or anything > else on your part. It's very simple to implement (to the extent they've > even built a Wizard to give you the code you need to copy and paste on your > website). > That's just my $.02. Maybe Twitter can try to work with Facebook (gasp!) to > try and come up with an open protocol of some sort that standardizes this > type of authorization effort. Let me know if I can help any in moving > towards this type of authorization flow - it's a much simpler process IMO. > (not to mention it opens up even greater possibilities in a desktop or > mobile environment as well) > Jesse