How does this distinction make this solution any less secure? What exploits are possible here and not, say, using OpenID or HTTP Basic Auth?
EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Breno > Sent: Friday, April 17, 2009 7:33 AM > To: oauth@googlegroups.com > Cc: OpenID user experience; DiSo Project > Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter > > > Sorry, Eran, but it is not an authentication protocol. An > authentication protocol must be signed by the authenticator, not by > the authentication requester. > > > > On Fri, Apr 17, 2009 at 12:26 AM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > Of course it is an authentication protocol. You make authenticated > API > > requests. It is also a delegation protocol in the way usernames and > > passwords are exchanged for tokens. > > > > > > > > The only thing it doesn't have that OpenID has is discovery, but > since it is > > a single vendor solution, it doesn't need any. > > > > > > > > My thoughts [1]. > > > > > > > > EHL > > > > > > > > [1] http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html > > > > > > > > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On > Behalf Of > > Dirk Balfanz > > Sent: Thursday, April 16, 2009 10:57 PM > > To: OpenID user experience > > Cc: oauth@googlegroups.com; DiSo Project > > Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter > > > > > > > > Is this Sign-in-with-Twitter supposed to be to sign into other sites > using > > your twitter account, as in "sign into myhealthrecord.com using your > twitter > > account"? > > > > I don't think that's secure - OAuth is not an authentication > protocol. > > > > Dirk. > > > > On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens > <bclem...@currentmedia.com> > > wrote: > > > > The nascar situation is akin to the difficulty in handling share > > (digg/facebook/email/myspace/buzz/etc/etc) options for content. > Everyone has > > it on content pages, but it's almost impossible to guess which subset > of > > sharing sites you can show without overwhelming people (actually > there is a > > hack to figure out which of them have been visited, but anyway...). > Really > > all you can do is choose 3-5 of them that work well and provide a > link for > > more. > > > > For choosing which identity providers, that means I'll pick Google > > openid+oauth, Facebook, and Twitter to feature (and offer others > > secondarily). It's unfair and leaves out major players, but at least > I know > > those offer my users solid authentication and pass basic user > attributes so > > I can make an account for them without a lot of trouble. Hopefully as > people > > start to use these the most reliable, seamless experience will win > and > > identity will settle around a few major players. > > > > > > On 4/16/09 4:21 PM, "Chris Messina" <chris.mess...@gmail.com> wrote: > > > > Just wanted to point out that Twitter is now offering sign-in with > one's > > Twitter account using OAuth: > > > > http://apiwiki.twitter.com/Sign-in-with-Twitter > > > > And, as if we didn't have enough buttons for the NASCAR [1], you can > now use > > Twitter's button: > > > > http://twibs.com/oAuthButtons.php > > > > Oh, and it might interest some folks that there are interesting > conversation > > going on about Twitter's authorization interface: > > > > http://groups.google.com/group/twitter-development- > talk/browse_thread/thread/0a1739326384dac6?pli=1 > > > > Chris > > > > [1] http://tr.im/fj_openid_nascar > > > > _______________________________________________ > > user-experience mailing list > > user-experie...@openid.net > > http://openid.net/mailman/listinfo/user-experience > > > > > > > > > > > > > -- > Breno de Medeiros > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
