On Wed, Jan 28, 2009 at 11:05 AM, George Fletcher <gffle...@aol.com> wrote:
> > In prinicple, OAuth is trying to keep the user from giving their > credentials to any service other than their identity provider. However, > in the case of a "client" wanting to authenticate the user to the user's > identity provider (potentially where no browser exists), this seems like > a much better mechanism than passing the credentials on the wire. > > better than using SSL transport ? It's not protecting from the user's credentials getting exposed to the client - so if it's really to prevent MITM/eavesdropping problems then the client is better off enforcing strict IDP's SSL cert checks. If the assumption is that these requests are sent over non-ssl - then yes it might add value in doing this. More over as Brian pointed out - lot of providers cannot support this because they don't have the user's raw password. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---