On 09/07/2011 11:20 AM, David Waite wrote:
On Sep 7, 2011, at 12:02 PM, Michael Thomas wrote:
It's not nonsense:
1) App prompts me for my credentials to Facebook -- I wonder whether
I trust the app.
2) App puts me in a Facebook login window -- I figure that it's
secure and
don't wonder whether I trust the app.
The assumption for #1 is that the app gave you a user experience for
entering your facebook credentials that looks different than the
actual facebook login window. If the app is malicious, this will most
likely not be the case.
The advantage OAuth provides is that it can vet/ban clients which are
doing malicious things. However, even a client with no oauth support
at all is still capable of providing a realistic-looking login window
using an embedded user agent, and capturing the real username/password.
Absolutely. But before facebook started doing this oauth-like
authentication (from the UX standpoint), there wasn't any reason
why a user would expect to see that facebook-like authentication page.
But now users are getting taught to trust that facebook authentication
page inside untrusted apps. So it's the whole ecosystem that's problematic,
but it doesn't seem right to tout oauth as a solution which is
how it's coming across on the outside. Not wanting to very clearly
fess up in the protocol document makes it sound like some people
view that as a feature, not a bug.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
