My understanding is that you do not want to even prompt the user for their username and password. Effectively you want to set up a, as mentioned before, valet credential system. It's not the real key, just enough to make the car go.
To that end we have taken an approach of letting the user know that they can link their account to alternate services. In order to allow that, they have to create a credential they that is not their username or password. It's an extra step for the user to be sure. But it communicates to the user that: 1) Other systems are available in the world that might ask for this credential 2) This credential is not their username or password, so the core of their account is safe, and they will only be asked for their username and password on our site. It also ensures that the worst a phisher could get is partial account access, assuming the "partial" information is not sensitive, all is well. Granted, someone could just spoof the site, but that is a threat no matter what, at some point the user has to take responsibility for themselves. I don't leave my credit cards laying around in public overnight assuming everything will be fine. That's my 2 cents though. I don't have a problem with the redirect. On Wed, Sep 30, 2009 at 12:15 PM, Sunir Shah <su...@freshbooks.com> wrote: > > I have a stupid question. When I hit the authorization page, Flickr > claims it is a trusted Yahoo! application. How does Flickr know that? > Is it relying on the consumer key and secret? My impression is that > those could be compromised in a heartbeat. Or is it doing something > more clever? > > Cheers, > Sunir Shah, Chief Handshaker, FreshBooks > (416) 481-6946 x224 > http://www.freshbooks.com/team/sunir > http://twitter.com/sunir > > On 30-Sep-09, at 11:27 AM, Blaine Cook wrote: > >> I'd love to see some data on adoption of the Flickr >> iPhone app; it does the "right" thing security-wise and does not ask >> for a username / password, even though it's the native Flickr app >> running on a highly controlled platform > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
