precisely. in a web scenario, developers are encourage to go through the web workflow - this new workflow is for those environments where bringing up a browser is impossible (embedded devices), cumbersome, or would destroy the UX experience. i would love to see developers message to their users that they are "secure" in that they are using OAuth, but i realise that is a complicated thing to get across easily.
On Thu, Dec 10, 2009 at 7:12 AM, Michael Ekstrand <mich...@elehack.net> wrote: > John Meyer wrote: >> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth >> that the application didn't need to know the username/password? That >> the user would grant access to the application and then the >> application would store that rather than the actual >> username/password. Or am I missing the point of going to an oAuth >> system? > Yes, that's the point of OAuth. However, the dynamics of a web-based > application vs. a desktop application complicate things. If the user is > trusting an application to run natively on their desktop, that > application already has access to their username and password (it can > read them from config files, do a keyboard grab when it spawns the > browser, go snooping around in Firefox's memory space, any number of > things). Thus, in the desktop application case, allowing the user to > input their username and password does not decrease security except > perhaps by not always enforcing "don't give away your password". The > web case is different - a web site doesn't have the user's credentials > unless they explicitly provide them. > > I'm ignoring for the present sandboxed or sandboxable environments such > as Java and AIR. The runtime may prevent the local application from > having access to the username/password as used by other applications. > > - Michael > > -- > mouse, n: A device for pointing at the xterm in which you want to type. > Confused by the strange files? I cryptographically sign my messages. > For more information see <http://www.elehack.net/resources/gpg>. > > > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi