Although you can find many instances of popular applications that do exactly
this, and the precise reasons for it being verboten are definitely arguable and
murky at best, the reaction that you'll receive from the OAuth community is
likely to be crystal clear, and very negative.
I posted an open source app that did this and received this from a founding
member of the OAuth committee:
"...this approach is specifically one that OAuth is trying to protect users
The problem is that your app does not (and can not) give users any trust that
you (or more importantly, an attacker) are not storing their Twitter
credentials without informing them..."
My personal feelings about the veracity of this statement aside, the tone is
pretty clear: you shouldn't do this.
On Jan 17, 2010, at 8:50 AM, eco_bach wrote:
> I'd like to embed the Twitter OAuth authorization-sign in window
> WITHIN my application.
> Is this considered a best practice, or is it always recommended to
> send the user to a new browser window for the service provider(Twitter
> in this case) OAuth authentication process?