Hacker News new | past | comments | ask | show | jobs | submit login

I see a couple of responses saying users don't care about this and they'd never read a dialog box.

Honestly, if that's the case, what's the point of OAuth then? Why don't we just go back to handing over usernames & passwords and trusting some 3rd party to not do anything nasty? With everyone constantly complaining about Facebook privacy concerns and hijacked Twitter accounts, how can anyone pretend that conditioning people to allow the maximum set of permissions to a complete stranger is a good thing?




OAuth has some advantages over storing passwords, firstly you're not giving your password away. Password reuse is very common, if you give one site your Facebook password, they probably have your email password.

It also easier to revoke access to just on app, previously you had to change your password and then update all the other apps


I admit there was some slight hyperbole there. Let's say it's one better than giving out your password because it cuts down on the password reuses issue and you can revoke.

If that's all that OAuth will ever get us, then it's a failure: either because the goals of the spec were infeasible or because developers weren't able to use it to its fullest (I lean toward the later).

OAuth is not about solving password reuse. It's about granting other clients rights to specific resources on your behalf. It's about telling a 3rd party app they can tweet once, and not read my direct messages; they can read my Gmail contacts, but not send; and so on...

I for one believe in the need for this. But the original poster is right: as long as developers request blanket permissions, I'm not going to use their apps. I may be in a small category, but I'll ask again: is this the kind of behavior we want to condition into users?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: