On Mon, Oct 12, 2009 at 11:01 AM, Ryan Sarver <rsar...@twitter.com> wrote:
> > 1. What can be improved about the web workflow? > 2. What can be improved about the desktop workflow? > 3. What other models of distributed auth do you think we could learn > from and what specifically about them? > 4. What could we improve around the materials for integrating OAuth > into your application? > > This is a given coming from me (I wrote O'Reilly's FBML Essentials), but I strongly recommend looking at the way Facebook is doing it with Facebook Connect - if you're logged into Facebook and have authorized the app, no further auth is necessary - you click the "Connect with Facebook" button, Facebook tells your app it's already authorized (without sending the user through the authentication or authorization process again), and you can then give the user a session in your app. It's a simple one-click workflow that only turns into a more-than-one-click workflow when absolutely necessary. I also like that their authorization process naturally provides a popup instead of forcing the app to completely redirect to another site to authorize. True, you can do this on your own through a window.open() call of some sort with Twitter, but with Facebook, they provide all the code that does this process automatically. No worry about backend code or anything else on your part. It's very simple to implement (to the extent they've even built a Wizard to give you the code you need to copy and paste on your website). That's just my $.02. Maybe Twitter can try to work with Facebook (gasp!) to try and come up with an open protocol of some sort that standardizes this type of authorization effort. Let me know if I can help any in moving towards this type of authorization flow - it's a much simpler process IMO. (not to mention it opens up even greater possibilities in a desktop or mobile environment as well) Jesse