Re: [oauth] "Fixing OAuth" blog post
kellan <kellan@pobox.com> Thu, 19 February 2009 22:12 UTC
Return-Path: <kellan@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BCD728C13A for <oauth@core3.amsl.com>; Thu, 19 Feb 2009 14:12:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcVkAiIG+Af3 for <oauth@core3.amsl.com>; Thu, 19 Feb 2009 14:12:48 -0800 (PST)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233]) by core3.amsl.com (Postfix) with ESMTP id 09CE83A6C26 for <oauth@ietf.org>; Thu, 19 Feb 2009 14:12:48 -0800 (PST)
Received: by rv-out-0506.google.com with SMTP id g9so493029rvb.5 for <oauth@ietf.org>; Thu, 19 Feb 2009 14:13:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=q3xogBUB5pNSM65D3I8dkK/QMLXiNf4v2a/Mm5g8rKo=; b=MyMDyeCObDBphWIdXm9l7pJDIOnkWyr3+MJpM12fAk92k3Lc+/darUfs009uQBn44i TTdCKQ+eA/piB2ofh6q48QhUN8f/S9ct0FnY81xa+z1sor+T7D2ZvrksSOJ3eQ1wB5ha 2u3qzXLR6RfQ5zscqH5++e49mNtSoQgx9uBAc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ir6+phdiDGIQKA8qKp7kgdvQHPpY3RwzhbEafOam41VcLZrVPRvDsrHU00ZT/utkYf h6Jk4RWnSred8RtDjPqQYXNo74GUbQrX9MLrp32tCi3No3O4b3iKNVWBz/vyXi642PvZ mQSpFZv3TUjeTSrB7myQjd75oi+v3NridqINQ=
MIME-Version: 1.0
Sender: kellan@gmail.com
Received: by 10.142.156.2 with SMTP id d2mr31314wfe.64.1235081581043; Thu, 19 Feb 2009 14:13:01 -0800 (PST)
In-Reply-To: <ca722a9e0902191359n746cf98fmc4992a74be98880d@mail.gmail.com>
References: <ca722a9e0902191359n746cf98fmc4992a74be98880d@mail.gmail.com>
Date: Thu, 19 Feb 2009 17:13:01 -0500
X-Google-Sender-Auth: 787f9878252f85d2
Message-ID: <422b9b380902191413g24573f20h1ba086fbce835c41@mail.gmail.com>
From: kellan <kellan@pobox.com>
To: Lisa Dusseault <lisa.dusseault@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: oauth <oauth@ietf.org>
Subject: Re: [oauth] "Fixing OAuth" blog post
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2009 22:12:49 -0000
I think we're seeing this sort of push back in the context of Twitter API community for several reasons. 1. The developers which have been successful are naturally comfortable, and change is painful. 2. The security concerns around rogue access to your Twitter account are *comparatively* minor. 3. There isn't much in the way of a meaningful gradient of access for Twitter, though even allowing a differentiation of read/write access is going to be a huge win for the community (if not particularly exciting to developers of Twitter clients, like atebit) Additionally its natural for API consumers to tend to think in terms of convenience, with possible concessions to the issue of rogue operators, where the real challenges for an API provider are control, predictability, and bumbling/misguided operators. I think the disaster of the delegated auth as a viable user experience as rather spectacularly failed to prove itself in the field. Which is not to say the experience can't and shouldn't be improved as the nature of our devices shift, and it was with an eye to flexibility and allowing that kind of improvement to emerge that we struggled to keep the core spec simple. -kellan On Thu, Feb 19, 2009 at 4:59 PM, Lisa Dusseault <lisa.dusseault@gmail.com> wrote: > > From http://blog.atebits.com/2009/02/fixing-oauth/ > > ... a few years from now when OAuth is finally integrated sensibly, I think > it actually will be quite nice. "Integrated sensibly" is key. Today is an > opportunity to get it right. > [...] > > I think the ultimate goal is to have a single, global, native-looking, > "blessed" authentication gateway on every device. This gateway could be > expressed on different devices in different ways. On the iPhone for example, > it could be represented as a special OS-provided window (running in a > protected process) that slid up over an app, allowing the user to enter a > password (or authenticate via something else like OpenID). The sheet would > then slide back down revealing the app after authentication was complete. > The requesting app would never need to quit. There would be no need for any > web pages, and the authentication experience would be completely > standardized across every app on that device that used OAuth. > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [oauth] "Fixing OAuth" blog post Lisa Dusseault
- Re: [oauth] "Fixing OAuth" blog post kellan
- Re: [oauth] "Fixing OAuth" blog post John Kemp