[oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter

Joseph A Holsten joseph at josephholsten.com
Sun Apr 19 04:58:36 UTC 2009 

It's a ticket granting protocol. If that ticket is used for  
authentication or capabilities authorization, that's your business. If  
your ticket server isn't signing the access token response, you're  
doing it wrong.  Also, can we pick a list?

On Apr 17, 2009, at 9:32 AM, Breno wrote:

> Sorry, Eran, but it is not an authentication protocol. An
> authentication protocol must be signed by the authenticator, not by
> the authentication requester.
>
>
>
> On Fri, Apr 17, 2009 at 12:26 AM, Eran Hammer-Lahav <eran at hueniverse.com 
> > wrote:
>> Of course it is an authentication protocol. You make authenticated  
>> API
>> requests. It is also a delegation protocol in the way usernames and
>> passwords are exchanged for tokens.
>>
>>
>>
>> The only thing it doesn’t have that OpenID has is discovery, but  
>> since it is
>> a single vendor solution, it doesn’t need any.
>>
>>
>>
>> My thoughts [1].
>>
>>
>>
>> EHL
>>
>>
>>
>> [1] http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html
>>
>>
>>
>> From: oauth at googlegroups.com [mailto:oauth at googlegroups.com] On  
>> Behalf Of
>> Dirk Balfanz
>> Sent: Thursday, April 16, 2009 10:57 PM
>> To: OpenID user experience
>> Cc: oauth at googlegroups.com; DiSo Project
>> Subject: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with-Twitter
>>
>>
>>
>> Is this Sign-in-with-Twitter supposed to be to sign into other  
>> sites using
>> your twitter account, as in "sign into myhealthrecord.com using  
>> your twitter
>> account"?
>>
>> I don't think that's secure - OAuth is not an authentication  
>> protocol.
>>
>> Dirk.
>>
>> On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens <bclemens at currentmedia.com 
>> >
>> wrote:
>>
>> The nascar situation is akin to the difficulty in handling share
>> (digg/facebook/email/myspace/buzz/etc/etc) options for content.  
>> Everyone has
>> it on content pages, but it’s almost impossible to guess which  
>> subset of
>> sharing sites you can show without overwhelming people (actually  
>> there is a
>> hack to figure out which of them have been visited, but anyway...).  
>> Really
>> all you can do is choose 3-5 of them that work well and provide a  
>> link for
>> more.
>>
>> For choosing which identity providers, that means I’ll pick Google
>> openid+oauth, Facebook, and Twitter to feature (and offer others
>> secondarily). It’s unfair and leaves out major players, but at  
>> least I know
>> those offer my users solid authentication and pass basic user  
>> attributes so
>> I can make an account for them without a lot of trouble. Hopefully  
>> as people
>> start to use these the most reliable, seamless experience will win  
>> and
>> identity will settle around a few major players.
>>
>>
>> On 4/16/09 4:21 PM, "Chris Messina" <chris.messina at gmail.com> wrote:
>>
>> Just wanted to point out that Twitter is now offering sign-in with  
>> one's
>> Twitter account using OAuth:
>>
>> http://apiwiki.twitter.com/Sign-in-with-Twitter
>>
>> And, as if we didn't have enough buttons for the NASCAR [1], you  
>> can now use
>> Twitter's button:
>>
>> http://twibs.com/oAuthButtons.php
>>
>> Oh, and it might interest some folks that there are interesting  
>> conversation
>> going on about Twitter's authorization interface:
>>
>> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0a1739326384dac6?pli=1
>>
>> Chris
>>
>> [1] http://tr.im/fj_openid_nascar
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>> --~--~---------~--~----~------------~-------~--~----~
>> You received this message because you are subscribed to the Google  
>> Groups
>> "OAuth" group.
>> To post to this group, send email to oauth at googlegroups.com
>> To unsubscribe from this group, send email to
>> oauth+unsubscribe at googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/oauth?hl=en
>> -~----------~----~----~----~------~----~------~--~---
>>
>>
>
>
>
> -- 
> Breno de Medeiros
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience

More information about the user-experience mailing list