|
|
|
|
|
|
by joe_the_user
5308 days ago
|
|
|
The "ideal" is to give the app permissions akin to another account. This way the app only changes what the user says it can change, etc, even to the point that users can upgrade or downgrade these permissions later. The most obvious advantage is the app doesn't have to learn the users new password when they change passwords. But you're right, the whole dance of having the app never `touch` the user's password is bullshit, a pretense cooked up by bureaucracy. You could get all the meaningful functionality of Oauth by letting apps request a single "permission key" when they login - with the user's password. On the other hand, if a site want real, meaningful security, it could give each user a seperate "app password" that they authorized apps with. That would provide real protection - but since it requires one teentsy extra step for the end user, it will never, ever fly. |
|
|
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1....