A good point.
Another is that OAuth provides not only authorization, but also
authentication. This would enable Twitter to shut down aps that are
misbehaving. A feature I'm sure Twitter would like not to give up.
I would also take issue with the assumption that "third parties would
have access to your password." A client that I download, I run, and I
delete when I tire of it isn't really a third party. No other human
will have access to the password.
Put it this way, if I really feel its misbehaving, I can always unplug
my machine. ;-)
It's important to remember this distinction when web-apps are also
being discussed. A web app is different because it does NOT run on
your machine, you can NOT shut it down, and other people will
definitely have access to the information stored there.
Isaiah
YourHead Software
[email protected]
http://www.yourhead.com
On Oct 12, 2009, at 7:36 PM, Brian Smith wrote:
Letting a mobile/desktop app grab an OAuth token using the user’s
username/password is still helpful because then they can store the
token instead of the username/password, which is a big deal when
there’s no really secure way to store it. Also, if your mobile phone/
laptop gets stolen, you can still log in via the Twitter website and
revoke access from the apps installed on your phone/laptop. If the
app just used basic auth then the only way to revoke access would be
to change your password. But, whoever stole your phone/laptop could
have changed your password first (if the app was using Basic auth),
and you’re locked out of your account.
So, a way to log in with basic auth and grab a OAuth token would can
still be useful.
JDG wrote:
But it completely subverts the point of OAuth, because it lets a
third party have your password. Why even use OAuth in that case?
