I just discovered that AOL's new lifestreaming service (<a href="http://lifestream.aim.com/">http://lifestream.aim.com/</a>) does a pretty neat trick with their popup UI for Twitter's OAuth experience. Check it out:<div>
<br></div><div><a href="http://flic.kr/p/71L1qq">http://flic.kr/p/71L1qq</a></div><div><br></div><div>Note the tooltip in the dimmed parent window: "If this overlay remains after you have cancelled authenticating a service, click here to close it!".</div>
<div><br></div><div>Chris<br><br><div class="gmail_quote">On Mon, Sep 21, 2009 at 5:50 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi Darren,<br>
<br>
I am not aware of any OAuth SPs which condone having their Login/Approval pages framed by a 3rd party website. If the site embeds the SP's Login screen, the user has no way of telling if they're being phished.<br>
<br>
The OpenID Popup Extension requires the RP to open the popup window with the Address Bar clearly displayed, and explictly forbids the OP's Login/Approval screen from being framed. Given that the address bar is displayed, the security properties of the popup window are identical to the browser redirect.<br>
<font color="#888888">
<br>
Allen</font><div class="im"><br>
<br>
Darren Bounds wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I find it curious that these compromises have been embraced by the<br>
OAuth community to support a greater UX but they are not being<br>
embraced by OpenID. After all, isn't an iPhone UIWebView control just<br>
a different type of iFrame? You're still trusting parent application<br>
not to do something malicious.<br>
<br>
</blockquote>
<br></div><div><div></div><div class="h5">
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@lists.openid.net" target="_blank">user-experience@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net">http://openid.net</a><br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>
</div>