[oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter

Allen Tom atom at yahoo-inc.com
Fri Apr 17 20:01:32 UTC 2009 

OpenID already has a standardized way to get the user's profile data 
(name, avatar image, email address) via SREG/AX without having to write 
any vendor-specific code. There's no equivalent to do this in OAuth, 
although PoCo will eventually take care of this, once discovery is 
implemented.

I also think it's strange how Twitter's OAuth service returns the user's 
twitter screen_name in the oauth_callback URL, without signing it. This 
seems to be asking for trouble. Although the documentation says that 
you're supposed to call the account/verify_credentials API to make sure 
that the user is properly authenticated, somebody is bound to just use 
the screen_name parameter in the callback, just because it's there.

Allen

Eran Hammer-Lahav wrote:
>
> Of course it is an authentication protocol. You make authenticated API 
> requests. It is also a delegation protocol in the way usernames and 
> passwords are exchanged for tokens.
>
>  
>
> The only thing it doesn't have that OpenID has is discovery, but since 
> it is a single vendor solution, it doesn't need any.
>
>  
>
> My thoughts [1].
>
>  
>
> EHL
>
>  
>
> [1] http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html
>
>  
>
> *From:* oauth at googlegroups.com [mailto:oauth at googlegroups.com] *On 
> Behalf Of *Dirk Balfanz
> *Sent:* Thursday, April 16, 2009 10:57 PM
> *To:* OpenID user experience
> *Cc:* oauth at googlegroups.com; DiSo Project
> *Subject:* [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter
>
>  
>
> Is this Sign-in-with-Twitter supposed to be to sign into other sites 
> using your twitter account, as in "sign into myhealthrecord.com 
> <http://myhealthrecord.com> using your twitter account"?
>
> I don't think that's secure - OAuth is not an authentication protocol.
>
> Dirk.
>
> On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens 
> <bclemens at currentmedia.com <mailto:bclemens at currentmedia.com>> wrote:
>
> The nascar situation is akin to the difficulty in handling share 
> (digg/facebook/email/myspace/buzz/etc/etc) options for content. 
> Everyone has it on content pages, but it's almost impossible to guess 
> which subset of sharing sites you can show without overwhelming people 
> (actually there is a hack to figure out which of them have been 
> visited, but anyway...). Really all you can do is choose 3-5 of them 
> that work well and provide a link for more.
>
> For choosing which identity providers, that means I'll pick Google 
> openid+oauth, Facebook, and Twitter to feature (and offer others 
> secondarily). It's unfair and leaves out major players, but at least I 
> know those offer my users solid authentication and pass basic user 
> attributes so I can make an account for them without a lot of trouble. 
> Hopefully as people start to use these the most reliable, seamless 
> experience will win and identity will settle around a few major players.
>
>
>
>
> On 4/16/09 4:21 PM, "Chris Messina" <chris.messina at gmail.com 
> <http://chris.messina@gmail.com>> wrote:
>
>     Just wanted to point out that Twitter is now offering sign-in with
>     one's Twitter account using OAuth:
>
>     http://apiwiki.twitter.com/Sign-in-with-Twitter
>
>     And, as if we didn't have enough buttons for the NASCAR [1], you
>     can now use Twitter's button:
>
>     http://twibs.com/oAuthButtons.php
>
>     Oh, and it might interest some folks that there are interesting
>     conversation going on about Twitter's authorization interface:
>
>     http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0a1739326384dac6?pli=1
>
>     Chris
>
>     [1] http://tr.im/fj_openid_nascar
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net <mailto:user-experience at openid.net>
> http://openid.net/mailman/listinfo/user-experience
>
>
>
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google 
> Groups "OAuth" group.
> To post to this group, send email to oauth at googlegroups.com
> To unsubscribe from this group, send email to 
> oauth+unsubscribe at googlegroups.com
> For more options, visit this group at 
> http://groups.google.com/group/oauth?hl=en
> -~----------~----~----~----~------~----~------~--~---
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090417/7a73e80d/attachment.htm>

More information about the user-experience mailing list