<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
OpenID already has a standardized way to get the user's profile data
(name, avatar image, email address) via SREG/AX without having to write
any vendor-specific code. There's no equivalent to do this in OAuth,
although PoCo will eventually take care of this, once discovery is
implemented. <br>
<br>
I also think it's strange how Twitter's OAuth service returns the
user's twitter screen_name in the oauth_callback URL, without signing
it. This seems to be asking for trouble. Although the documentation
says that you're supposed to call the account/verify_credentials API to
make sure that the user is properly authenticated, somebody is bound to
just use the screen_name parameter in the callback, just because it's
there.<br>
<br>
Allen<br>
<br>
Eran Hammer-Lahav wrote:
<blockquote
cite="mid:90C41DD21FB7C64BB94121FBBC2E72342509B87DA9@P3PW5EX1MB01.EX1.SECURESERVER.NET"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Of
course it is an authentication protocol. You make
authenticated API requests. It is also a delegation protocol in the way
usernames and passwords are exchanged for tokens.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">The
only thing it doesn’t have that OpenID has is discovery, but
since it is a single vendor solution, it doesn’t need any.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">My
thoughts [1].<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">EHL<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">[1]
<a class="moz-txt-link-freetext" href="http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html">http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:oauth@googlegroups.com">oauth@googlegroups.com</a> [<a class="moz-txt-link-freetext" href="mailto:oauth@googlegroups.com">mailto:oauth@googlegroups.com</a>] <b>On Behalf Of
</b>Dirk
Balfanz<br>
<b>Sent:</b> Thursday, April 16, 2009 10:57 PM<br>
<b>To:</b> OpenID user experience<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:oauth@googlegroups.com">oauth@googlegroups.com</a>; DiSo Project<br>
<b>Subject:</b> [oauth] Re:
<a class="moz-txt-link-freetext" href="http://apiwiki.twitter.com/Sign-in-with-Twitter">http://apiwiki.twitter.com/Sign-in-with-Twitter</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom: 12pt;">Is this
Sign-in-with-Twitter
supposed to be to sign into other sites using your twitter account, as
in
"sign into <a moz-do-not-send="true" href="http://myhealthrecord.com">myhealthrecord.com</a>
using your twitter account"? <br>
<br>
I don't think that's secure - OAuth is not an authentication protocol. <br>
<br>
Dirk.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens <<a
moz-do-not-send="true" href="mailto:bclemens@currentmedia.com">bclemens@currentmedia.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif";">The
nascar situation is akin to the difficulty in handling share
(digg/facebook/email/myspace/buzz/etc/etc) options for content.
Everyone has it
on content pages, but it’s almost impossible to guess which subset of
sharing
sites you can show without overwhelming people (actually there is a
hack to
figure out which of them have been visited, but anyway...). Really all
you can
do is choose 3-5 of them that work well and provide a link for more. <br>
<br>
For choosing which identity providers, that means I’ll pick Google
openid+oauth, Facebook, and Twitter to feature (and offer others
secondarily).
It’s unfair and leaves out major players, but at least I know those
offer my
users solid authentication and pass basic user attributes so I can make
an
account for them without a lot of trouble. Hopefully as people start to
use
these the most reliable, seamless experience will win and identity will
settle
around a few major players.<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif";"><br>
<br>
<br>
On 4/16/09 4:21 PM, "Chris Messina" <<a moz-do-not-send="true"
href="http://chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>>
wrote:<o:p></o:p></span></p>
</div>
<div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif";">Just
wanted to point out that Twitter is now offering sign-in with one's
Twitter
account using OAuth:<br>
<br>
<a moz-do-not-send="true"
href="http://apiwiki.twitter.com/Sign-in-with-Twitter" target="_blank">http://apiwiki.twitter.com/Sign-in-with-Twitter</a><br>
<br>
And, as if we didn't have enough buttons for the NASCAR [1], you can
now use
Twitter's button:<br>
<br>
<a moz-do-not-send="true" href="http://twibs.com/oAuthButtons.php"
target="_blank">http://twibs.com/oAuthButtons.php</a><br>
<br>
Oh, and it might interest some folks that there are interesting
conversation
going on about Twitter's authorization interface:<br>
<br>
<a moz-do-not-send="true"
href="http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0a1739326384dac6?pli=1"
target="_blank">http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0a1739326384dac6?pli=1</a><br>
<br>
Chris<br>
<br>
[1] <a moz-do-not-send="true" href="http://tr.im/fj_openid_nascar"
target="_blank">http://tr.im/fj_openid_nascar</a></span><o:p></o:p></p>
</blockquote>
</div>
</div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><br>
_______________________________________________<br>
user-experience mailing list<br>
<a moz-do-not-send="true" href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/user-experience"
target="_blank">http://openid.net/mailman/listinfo/user-experience</a><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><br>
<br>
</p>
</div>
</div>
<br>
--~--~---------~--~----~------------~-------~--~----~<br>
You received this message because you are subscribed to the Google
Groups "OAuth" group. <br>
To post to this group, send email to <a class="moz-txt-link-abbreviated" href="mailto:oauth@googlegroups.com">oauth@googlegroups.com</a> <br>
To unsubscribe from this group, send email to
<a class="moz-txt-link-abbreviated" href="mailto:oauth+unsubscribe@googlegroups.com">oauth+unsubscribe@googlegroups.com</a> <br>
For more options, visit this group at
<a class="moz-txt-link-freetext" href="http://groups.google.com/group/oauth?hl=en">http://groups.google.com/group/oauth?hl=en</a><br>
-~----------~----~----~----~------~----~------~--~---<br>
<br>
</blockquote>
<br>
</body>
</html>