Popup flow

[Chris Messina]

I just discovered that AOL's new lifestreaming service (
http://lifestream.aim.com/) does a pretty neat trick with their popup UI for
Twitter's OAuth experience. Check it out:
http://flic.kr/p/71L1qq

Note the tooltip in the dimmed parent window: "If this overlay remains after
you have cancelled authenticating a service, click here to close it!".

Chris

On Mon, Sep 21, 2009 at 5:50 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> Hi Darren,
>
> I am not aware of any OAuth SPs which condone having their Login/Approval
> pages framed by a 3rd party website.  If the site embeds the SP's Login
> screen, the user has no way of telling if they're being phished.
>
> The OpenID Popup Extension requires the RP to open the popup window with
> the Address Bar clearly displayed, and explictly forbids the OP's
> Login/Approval screen from being framed. Given that the address bar is
> displayed, the security properties of the popup window are identical to the
> browser redirect.
>
> Allen
>
> Darren Bounds wrote:
>
>> I find it curious that these compromises have been embraced by the
>> OAuth community to support a greater UX but they are not being
>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
>> a different type of iFrame? You're still trusting parent application
>> not to do something malicious.
>>
>>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>



-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090922/e7fc3c4d/attachment.htm>