Christian Scholz / Tao Takashi (SL) wrote > So I am wondering in the iPhone case how I can be sure that I am > really at yahoo and not somewhere else. I don't see any URL, whether > it's SSL or not etc. and even if I would this application could of > course fake this as well (which I guess is also the point in [1]). So > I agree with [1] that a better way would be something inside the OS to > provide that but that this of course also might not happen (or at > least soon). Yep. Granted, that's been kind of a rallying cry for the folks that are against OAuth. "You could easily phish credentials because nobody ever looks at the URL line anyway." There are ways to tokenize the login page (e.g. what Yahoo does with the login) but that only works on devices where you've created a common cookie which means that devices or programs that have a sandboxed webkit would never get that info.
Facebook isn't immune to this issue either, and in fact, kind of makes it worse by having an inconsistent log in experience. Sometimes it's a pop out window, sometimes it's an iframe. Sometimes it asks you to log in, other times it asks you to just auth. I don't want to wave my hands at the problem, but the solution is going to require more than just OAuth and Facebook. It's going to require working with browser manufacturers to make sure that there's a reliable way to indicate to users the host and URL they're connected to. > > > I also see this more as a problem for e.g. the iPhone where you > usually need to close the application in order to jump to safari. This > is not such a problem on the desktop and (as you demonstrate) has been > done for quite a while with flickr. If I remember correctly (I don't have a mac so no iphone SDK for me) it's possible to register a fake protocol which will allow you to jump back into your app. Most of the Netflix iPhone apps do something like this to do the auth. > > I also agree with [2] that authenticating for multiple services might > make this whole process a bit annoying. We might also face this issue > in the proposed MMOX IETF working group[3] if we go with OAuth and in > order to connect to a world you might first need to authorize various > services (profile, inventory, contacts, IM, ...). I'm actually alright with that idea. Let me be in control of my own data. If you have the additional concept of "profiles", where I can give some inquiring service a slightly different identifier that's tied to a specific "group" of permissions, then it's not as much a hassle as it might be. (e.g. I give a site like Blizzard "jrconlin-max" and expose every bit of data, or I give a site like http://EvilOnAStick.com "jrconlin-rhubarb" which has a greatly reduced set of available information.) > > -- Christian > > [3] http://trac.tools.ietf.org/bof/trac/wiki/MmoxCharter > > > > Chris > > [1] http://blog.atebits.com/2009/02/fixing-oauth/ > [2] https://twitter.pbwiki.com/oauth-desktop-discussion > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---