OpenID already has a standardized way to get the user's profile data (name, avatar image, email address) via SREG/AX without having to write any vendor-specific code. There's no equivalent to do this in OAuth, although PoCo will eventually take care of this, once discovery is implemented.
I also think it's strange how Twitter's OAuth service returns the user's twitter screen_name in the oauth_callback URL, without signing it. This seems to be asking for trouble. Although the documentation says that you're supposed to call the account/verify_credentials API to make sure that the user is properly authenticated, somebody is bound to just use the screen_name parameter in the callback, just because it's there. Allen Eran Hammer-Lahav wrote: > > Of course it is an authentication protocol. You make authenticated API > requests. It is also a delegation protocol in the way usernames and > passwords are exchanged for tokens. > > > > The only thing it doesn't have that OpenID has is discovery, but since > it is a single vendor solution, it doesn't need any. > > > > My thoughts [1]. > > > > EHL > > > > [1] http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html > > > > *From:* oauth@googlegroups.com [mailto:oa...@googlegroups.com] *On > Behalf Of *Dirk Balfanz > *Sent:* Thursday, April 16, 2009 10:57 PM > *To:* OpenID user experience > *Cc:* oauth@googlegroups.com; DiSo Project > *Subject:* [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter > > > > Is this Sign-in-with-Twitter supposed to be to sign into other sites > using your twitter account, as in "sign into myhealthrecord.com > <http://myhealthrecord.com> using your twitter account"? > > I don't think that's secure - OAuth is not an authentication protocol. > > Dirk. > > On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens > <bclem...@currentmedia.com <mailto:bclem...@currentmedia.com>> wrote: > > The nascar situation is akin to the difficulty in handling share > (digg/facebook/email/myspace/buzz/etc/etc) options for content. > Everyone has it on content pages, but it's almost impossible to guess > which subset of sharing sites you can show without overwhelming people > (actually there is a hack to figure out which of them have been > visited, but anyway...). Really all you can do is choose 3-5 of them > that work well and provide a link for more. > > For choosing which identity providers, that means I'll pick Google > openid+oauth, Facebook, and Twitter to feature (and offer others > secondarily). It's unfair and leaves out major players, but at least I > know those offer my users solid authentication and pass basic user > attributes so I can make an account for them without a lot of trouble. > Hopefully as people start to use these the most reliable, seamless > experience will win and identity will settle around a few major players. > > > > > On 4/16/09 4:21 PM, "Chris Messina" <chris.mess...@gmail.com > <http://chris.mess...@gmail.com>> wrote: > > Just wanted to point out that Twitter is now offering sign-in with > one's Twitter account using OAuth: > > http://apiwiki.twitter.com/Sign-in-with-Twitter > > And, as if we didn't have enough buttons for the NASCAR [1], you > can now use Twitter's button: > > http://twibs.com/oAuthButtons.php > > Oh, and it might interest some folks that there are interesting > conversation going on about Twitter's authorization interface: > > > http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0a1739326384dac6?pli=1 > > Chris > > [1] http://tr.im/fj_openid_nascar > > > _______________________________________________ > user-experience mailing list > user-experie...@openid.net <mailto:user-experie...@openid.net> > http://openid.net/mailman/listinfo/user-experience > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
