OpenID in desktop apps

Joseph A Holsten joseph at josephholsten.com
Sun Feb 8 02:49:10 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Messina supposedly wrote:

> I wanted to point out a disturbing but insightful trend that I've  
> seen in apps, both on the Mac and iPhone lately... essentially  
> embedding a WebKit view inside the app for doing delegated  
> authentication. Example:
>
> http://www.flickr.com/photos/factoryjoe/3260710115/
>
> Without the URL bar (presuming that the URL bar hasn't been  
> tampered with), it's impossible to know who is hosting this page.  
> Facebook is also none-the-wiser about whether this experience is  
> taking place from within the browser or within some custom app. I  
> also don't see how this can be stopped.
>
> I'd like to hear your thoughts about this, given our desire to push  
> the popup experience forward, mandating, I presume, visibility of  
> the URL bar in these flows.

Much as I appreciate the feedback of the browser bar, it's still  
fallible. Even broken ssl certs go ignored. I personally keep mine  
hidden by default.

Is showing the browser bar the 80% that matters? Is a deeper change  
needed?

http://josephholsten.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmOSCcACgkQrPgSa0qMrmFp5wCgiA8/UWffKqd3uZiM9A9VbXuN
mHQAn3T4FhYaTQLPIrNvVq5VNZ4jIfQH
=hy8b
-----END PGP SIGNATURE-----



More information about the user-experience mailing list