in a web scenario, developers are encourage to go through the web
workflow - this new workflow is for those environments where bringing
up a browser is impossible (embedded devices), cumbersome, or would
destroy the UX experience.  i would love to see developers message to
their users that they are "secure" in that they are using OAuth, but i
realise that is a complicated thing to get across easily.

On Thu, Dec 10, 2009 at 7:12 AM, Michael Ekstrand <> wrote:
> John Meyer wrote:
>> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth
>> that the application didn't need to know the username/password?  That
>> the user would grant access to the application and then the
>> application would store that rather than the actual
>> username/password.  Or am I missing the point of going to an oAuth
>> system?
> Yes, that's the point of OAuth.  However, the dynamics of a web-based
> application vs. a desktop application complicate things.  If the user is
> trusting an application to run natively on their desktop, that
> application already has access to their username and password (it can
> read them from config files, do a keyboard grab when it spawns the
> browser, go snooping around in Firefox's memory space, any number of
> things).  Thus, in the desktop application case, allowing the user to
> input their username and password does not decrease security except
> perhaps by not always enforcing "don't give away your password".  The
> web case is different - a web site doesn't have the user's credentials
> unless they explicitly provide them.
> I'm ignoring for the present sandboxed or sandboxable environments such
> as Java and AIR.  The runtime may prevent the local application from
> having access to the username/password as used by other applications.
> - Michael
> --
> mouse, n: A device for pointing at the xterm in which you want to type.
> Confused by the strange files?  I cryptographically sign my messages.
> For more information see <>.

Raffi Krikorian
Twitter Platform Team

Reply via email to