Archives
June 2007
6/28/07
6/27/07
directLogin Vs login in OpenAuth
6/20/07
6/18/07
Wednesday, June 27, 2007
Several people have asked which OpenAuth method they should use to authenticate AOL/AIM users into their web app/sites. So I thought it would be good if I clarify it here. We will see how we can improve our documentation so it's more clear about when to use directLogin vs login method.
The directLogin was mainly designed for trusted applications (mainly desktop clients than web sites). When I say trusted, I mean in some business relationship with AOL and ofcourse only when it makes sense (both technically and user experience wise) to allow them collect AOL/AIM user's login credentials (SN/Pwd). As you all know, it's not a good practice to educate users to enter their credentials in any client or web site, otherwise it makes it very easy for the black hats to phish users. So before you request for access to directLogin method, please think about what your use-cases are.
The login was designed for web sites/apps and it also gets you the same authentication token as directLogin that can be used to invoke other AOL services. Most of the web sites/apps can just use our login method (via browser redirect) to send the users to OpenAuth login page to authenticate and get an authentication token back from OpenAuth. In this way, the users would always be asked to enter their login credentials from the same place (url) and page (ui), which helps them detect phishing sites asking for their login credentials.
So before you send us the request for access to directLogin, please think about your use-cases, and whether it makes sense to ask the user to enter their AOL/AIM credentials on your site or not. If you think it's the right way to go, please include your analysis and use-cases in your request email so we can quickly understand what you are trying to do and take necessary steps to provision your devId accordingly.
- Praveen
openauth at 3:14:00 PM EDT Blog about this entry |
Add to del.icio.us | 
digg this
directLogin Vs login in OpenAuth
The directLogin was mainly designed for trusted applications (mainly desktop clients than web sites). When I say trusted, I mean in some business relationship with AOL and ofcourse only when it makes sense (both technically and user experience wise) to allow them collect AOL/AIM user's login credentials (SN/Pwd). As you all know, it's not a good practice to educate users to enter their credentials in any client or web site, otherwise it makes it very easy for the black hats to phish users. So before you request for access to directLogin method, please think about what your use-cases are.
The login was designed for web sites/apps and it also gets you the same authentication token as directLogin that can be used to invoke other AOL services. Most of the web sites/apps can just use our login method (via browser redirect) to send the users to OpenAuth login page to authenticate and get an authentication token back from OpenAuth. In this way, the users would always be asked to enter their login credentials from the same place (url) and page (ui), which helps them detect phishing sites asking for their login credentials.
So before you send us the request for access to directLogin, please think about your use-cases, and whether it makes sense to ask the user to enter their AOL/AIM credentials on your site or not. If you think it's the right way to go, please include your analysis and use-cases in your request email so we can quickly understand what you are trying to do and take necessary steps to provision your devId accordingly.
- Praveen
openauth at 3:14:00 PM EDT Blog about this entry |
Add to del.icio.us | digg this
