On Sep 7, 2011, at 12:02 PM, Michael Thomas wrote: > > It's not nonsense: > > 1) App prompts me for my credentials to Facebook -- I wonder whether > I trust the app. > 2) App puts me in a Facebook login window -- I figure that it's secure and > don't wonder whether I trust the app. > The assumption for #1 is that the app gave you a user experience for entering your facebook credentials that looks different than the actual facebook login window. If the app is malicious, this will most likely not be the case.
The advantage OAuth provides is that it can vet/ban clients which are doing malicious things. However, even a client with no oauth support at all is still capable of providing a realistic-looking login window using an embedded user agent, and capturing the real username/password. -DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
