

Ask HN: problem is, web apps can't act as clients? - Tichy

What is the best way to deal with the problem that due to (sensible) security constraints, web apps can't act as clients to other web apps (unless I am missing something)? The only way to access another web app through a web app is to go through the server, which means the user has to give web app A his account+password for web app B.<p>With Twitter tools we see one possible solution: all twitter tools I have seen (like twitpic or twitterfeed) just ask you for your twitter password. People seem to happily use it, but I would guess it is only because they don't think their Twitter account is very valuable. Try doing the same for ebay, though?<p>I guess at least web apps should provide a way for users to generate "secondary access" to their accounts (like on FLickr you can share certain photosets, but not others). But few do, so it is not a universal solution.<p>Or maybe people just have to learn to trust?
======
petercooper
You're looking for OAuth :) <http://oauth.net/> \- OAuth provides you with
"valet keys" (the non technical term!) so that third party apps can go into
other apps for you to do just what is necessary.

Twitter is looking to implement OAuth (supposedly they already have in some
regard, but it's not in public use).

~~~
apgwoz
I'm not sure why Twitter doesn't start with creating a seperate API password
like FriendFeed does. This would allow all the existing services to continue
operating (user just has to change their password on the services to the API
password) and would allow the user to generate a new API password when they
wanted those services to stop.

OAuth is definitely a good thing to get to, but they aren't going to be able
to turn off the access they are giving right now overnight when their OAuth
implementation is done.

------
mattmaroon
There have been services like that for eBay. I used to use one that did auto
listings for me. I think Auctomatic used to do something of the sort too.

~~~
Tichy
So how did those services solve the problem - ask for the ebay password?

~~~
mattmaroon
Yep. A lot of people will put their password in anywhere without hesitation.
Everyone gives Facebook their gmail passwords and such.

There are certainly some people (like most of the ones here) who know why you
shouldn't do that sort of thing, and getting them to use your web app might be
tricky. But your average Joe doesn't have the slightest clue. He thinks as
long as he runs Norton Antivirus he's safe. So it largely depends on your
audience.

