Gnome-Gmail should use OAuth instead of asking for password
Bug #991679 reported by
Jorge E. Gómez
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Gmail |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Modern desktop apps that interact with web-based ones, should not ask directly for user/password, and instead should use OAuth authentication, directing the user to the Gmail page where authorization can be granted to the app.
To post a comment you must log in.
I disagree. OAuth has benefits when used between websites: Streamlined account creation at OAuth subscriber sites, reduced amount of trust a user has to extend to subscribers sites, fewer passwords to memorize, one place to change those passwords (though once changed, users probably have to re-authenticate subscriber sites). I could see a benefit in having the desktop be an OAuth provider - you'd never have to send your password across the wire again, as long as you only used OAuth subscriber services, and each OAuth provider (your own machine) would have a limited number of subscribers it would have to trust at all (the services you use). Unfortunately, the DNS domain requirements for doing so are probably beyond what most users would be able to/want to do. If a distribution wanted to set up a DNS domain and appropriate home router firewall workarounds (reverse proxy, or some such) that would allow users of that distribution to easily set up their own OAuth provider for their own accounts, that might work...
Using a desktop as an OAuth subscriber does not seem to provide any of the benefits OAuth is designed to provide when used between websites. You kind of have to trust the software running on your own desktop, since it has access to your keystrokes, mouse movements, and even any encrypted data (if you ever decrypt it to use it), so you're not really reducing the trust requried to be extended to the OAuth subscriber. Streamlined account creation, well, the desktop is the only OAuth subscriber being considered, so that's a moot point you need an OAuth provider to do that for other sites anyway. The number of trust relationships between OAuth providers and OAuth subscribers instantly becomes unmanageably large, as each desktop becomes a subscriber. Google for one doesn't appear willing to take on that management nightmare, as it warns that the OAuth logins performed by GNOME 3 on Fedora 16 "claim to be from GNOME", but that Google can't verify that fact because it's running on your desktop...