1. What can be improved about the web workflow?
I'll leave this one for the web dudes.
2. What can be improved about the desktop workflow?
The UX: it's currently very complicated for the user. Much more more
complicated than basic auth. Users are unaccustomed to it. Novelty
isn't a bonus during authorization.
The browser: drop-kicking the user to another app seems egregious.
Make it so that this is unnecessary and the UX problem is nearly solved.
The assumption: there seems to be an assumption that twitter clients
are *not* trusted and the web browser *is* trusted. But the reality
is that all of the phishing, scams, and untrusted things that I'm
bombarded with daily come in the browser. Please help me to resolve
this paradox.
3. What other models of distributed auth do you think we could learn
from and what specifically about them?
All of the clients for everything that needs authorization on my
desktop use a basic-auth-like model: email, ftp, backup services,
picture sharing, blogging, well, you get the idea. I'm not saying
it's right or wrong, but that is the way it is.
I want my app to be part of that ecosystem and not stand out like a
sore thumb.
Make matching the user experience of other desktop apps your goal. If
you can't achieve that goal, then maybe OAuth isn't ready for the
desktop. Or perhaps it's more apt to say that the desktop is not
ready for OAuth.
If you say, "it's really no big deal to add this one step," then
stop. It **is** a big deal. Every step added is **really** big
deal. Really.
4. What could we improve around the materials for integrating OAuth
into your application?
It's not all the complicated to implement. There's a lot of open
source on web in a multitude of languages.
If you have manpower to throw around, please work on the UX first. ;-)
I'd be happy to contribute to any open source project that helps to
achieve this. Count me in.
Isaiah
