On Thu, Dec 10, 2009 at 07:33:28AM -0700, John Meyer wrote:
> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth that  
> the application didn't need to know the username/password?  That the  
> user would grant access to the application and then the application  
> would store that rather than the actual username/password.  Or am I  
> missing the point of going to an oAuth system?

That is *a* point of oauth, not *the* point.

It's probably the most obvious point from a naive end-user viewpoint,
but there are also other advantages to oauth, even when the keys are
obtained by entering your username/password.  Just off the top of my
head:

- The app doesn't need to store your username/password in a retrievable
  format, so an attacker who compromises the application's data store
  will not gain access to them.

- Your username/password will not be transmitted across the internet or
  wireless LAN connections on every request made, which greatly reduces
  the window of vulnerability for an attacker to intercept them in
  transit.

- You can change your Twitter username and/or password without then
  having to immediately reauthorize the app by re-entering the new
  username/password.

- Conversely, if you wish to revoke a specific app's access, you can do
  so without affecting any other application.  (Unless the app in
  question has stored your username/password in a retrievable format, in
  which case it could just get new oauth credentials, of course.)

- If oauth is the only allowed authentication method, a rogue app would
  not be able to gain full access to your account.  Perhaps most
  importantly, it would not be capable of changing your password and
  locking you out.

- On Twitter's side, I'm sure it will simplify things considerably for
  all API methods to support only a single authentication method.

-- 
Dave Sherohman

Reply via email to