[copsarebastards]

> I do not know who is the uneducated here, but in the case of OAuth, the other company already has the user data.

No, they don't. Google, for example, doesn't have the entire signup list of all the users of The Old Reader, but they have a lot of The Old Reader's users, because The Old Reader outsources authorization for some of its users to Google. That's data that Google is collecting via OAuth, and you'd better believe they use that data.

> What OAuth enables is to use their information to verify the user.

That's what it enables for the OAuth consumer, but there are far easier ways of doing that. The difficulties of OAuth exist because OAuth doesn't serve the OAuth consumer's needs, it serves the OAuth provider's needs.

[testrun]

On the first point I think we are talking about two different things. I am not talking about the entire signup list of Old Reader, I am talking about a user of Old Reader that uses Google OAuth to access Old Reader. In this case Google already has this particular user data.

Don't agree on the second one. What it does it serves the site owner needs. They can choose to provide OAuth or not. Some provide it to make it easier for their users to login, and they also provide their own authentication otherwise, other sites use OAuth only and some sites just their own. Most see it as a benefit for their users to only use one login. The benefit for the OAuth providers are stronger relationship with that particular user.

[copsarebastards]

> On the first point I think we are talking about two different things. I am not talking about the entire signup list of Old Reader, I am talking about a user of Old Reader that uses Google OAuth to access Old Reader. In this case Google already has this particular user data.

We're talking about different things because you missed my point a few posts ago when I said that the problem it solves is "how do we (a big company) get smaller companies to outsource as much of their user data as possible to us". User lists are data.

> Some provide it to make it easier for their users to login

If that's their goal, they're failing to achieve it. OAuth requires more steps than a simple username/password signup form, including going to a completely different site to give permission to log in with your data. Google/Facebook/etc. and other OAuth providers aren't stupid: they know that's not a good solution to that problem. If they really wanted to solve that problem they'd write a login library (something like Reddit's signup/login system) which would solve that problem better. The reason OAuth isn't implemented that way is that the goal of OAuth is not to make it easier to sign up and log in.

> Most see it as a benefit for their users to only use one login.

There is nothing that stops users from using one login everywhere; OAuth does not aid this in any way. I use the same login on all the sites where I don't care about the security of my account.

You have yet to make any compelling argument that users or sites which use OAuth are gaining any benefit from OAuth. The only people who benefit from OAuth are OAuth providers.

[testrun]

>You have yet to make any compelling argument that users or sites which use OAuth are gaining any benefit from OAuth. The only people who benefit from OAuth are OAuth providers.

I am not making a compelling argument for or against OAuth. My point is that you do not understand how OAuth works. The user is already a user of the OAuth provider. The outsourcing is not decided by the Oauth provider, it is decided by the site owner, and it is the user that decides to use this option or not.

And as stated above, this post is saying that the method stinks.