Although you can find many instances of popular applications that do exactly this, and the precise reasons for it being verboten are definitely arguable and murky at best, the reaction that you'll receive from the OAuth community is likely to be crystal clear, and very negative.
I posted an open source app that did this and received this from a founding member of the OAuth committee: "...this approach is specifically one that OAuth is trying to protect users from. The problem is that your app does not (and can not) give users any trust that you (or more importantly, an attacker) are not storing their Twitter credentials without informing them..." My personal feelings about the veracity of this statement aside, the tone is pretty clear: you shouldn't do this. isaiah http://twitter.com/isaiah On Jan 17, 2010, at 8:50 AM, eco_bach wrote: > > I'd like to embed the Twitter OAuth authorization-sign in window > WITHIN my application. > > Is this considered a best practice, or is it always recommended to > send the user to a new browser window for the service provider(Twitter > in this case) OAuth authentication process?
