<div class="gmail_quote">On Sat, Feb 21, 2009 at 6:55 AM, Christian Scholz / Tao Takashi (SL) <span dir="ltr"><<a href="mailto:tao.takashi@googlemail.com">tao.takashi@googlemail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote"><div><br>I guess you wanted to link to <a href="http://wiki.oauth.net/iPhoto-to-Flickr" target="_blank">http://wiki.oauth.net/iPhoto-to-Flickr</a></div></div></blockquote><div><br></div><div>Whoops, thanks!</div>
<div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div><br></div><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div>Would be happy to have a discussion about these current examples, especially in light of some of the recent feedback from Twitter devs [1][2].</div>
</blockquote></div><div><br>So I am wondering in the iPhone case how I can be sure that I am really at yahoo and not somewhere else. I don't see any URL, whether it's SSL or not etc. and even if I would this application could of course fake this as well (which I guess is also the point in [1]). So I agree with [1] that a better way would be something inside the OS to provide that but that this of course also might not happen (or at least soon). </div>
</div></blockquote><div><br></div><div>Exactly. Changing the OS is a long way off if people want to use these technologies today.</div><div><br></div><div>As far as the security issues, this is a problem that was discussed recently on the OpenID User Experience list:</div>
<div><br></div><div>First message:</div><div><br></div><div><a href="http://openid.net/pipermail/user-experience/2009-February/000298.html">http://openid.net/pipermail/user-experience/2009-February/000298.html</a><br></div>
<div><br></div><div>Follow the thread:</div><div><br></div><div><a href="http://openid.net/pipermail/user-experience/2009-February/thread.html">http://openid.net/pipermail/user-experience/2009-February/thread.html</a><br>
</div><div><br></div><div>I can't say that we came to a satisfying conclusion. </div><div><br></div><div>However, one option could be to do the authentication bit in the app, and if the user is concerned about using the built-in browser, offer a link to sign in via the browser. Of course, if it's a nefarious app, they probably will just not include that link, and without UI consistency where people know to look for such a thing, that may be a moot option.</div>
<div><br></div><div>Therein lies the argument *against* popping the authentication to the browser: if you're using a nefarious app and have launched it, you're probably hosed already. </div><div><br></div><div>It's probably just a matter of time before some Jailbroken iPhone app for Facebook proves this point, so we're at a cross-roads between user education and usability.</div>
<div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div><br>I also see this more as a problem for e.g. the iPhone where you usually need to close the application in order to jump to safari. This is not such a problem on the desktop and (as you demonstrate) has been done for quite a while with flickr.</div>
</div></blockquote><div><br></div><div>Pownce actually did this, and I don't think that the experience was all that bad:</div><div><br></div><div><a href="https://wiki.oauth.net/OAuth-for-Pownce-on-iPhone">https://wiki.oauth.net/OAuth-for-Pownce-on-iPhone</a> </div>
<div><br></div><div>With using custom protocol handlers, you can make the experience quite smooth actually. Confining the user to the task at hand is a bit harder, but it's not impossible to handle the case where the user never completes authentication.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div><br>I also agree with [2] that authenticating for multiple services might make this whole process a bit annoying. We might also face this issue in the proposed MMOX IETF working group[3] if we go with OAuth and in order to connect to a world you might first need to authorize various services (profile, inventory, contacts, IM, ...).</div>
</div></blockquote><div><br></div><div>Yeah, this is why I advocate for strong identity, and an identity hub that essentially talks to your federated services on your behalf, but is your single point of authorizing third party apps to interact with your stuff.</div>
<div><br></div><div>I hope these visual examples help to demonstrate current practices in the wild. I know that this kind of thing freaks us out:</div><div><br></div><div><a href="http://www.flickr.com/photos/factoryjoe/3260710115/">http://www.flickr.com/photos/factoryjoe/3260710115/</a><br>
</div><div><br></div><div>...but it's clear that that's not the case for all developers.</div></div><div><br></div><div>Chris</div><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate-at-Large<br>
<br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br><a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>