Add an OAuth API for Passwords & Profile Data

How about providing an API to all the data you've got on me? Especially the passwords and profile data that I've manually entered? It would also be nice to access the account activity as well. I know OAuth can solve the authentication problems you might have.

I’m locked in

Inappropriate?

Reply to this idea

6 people like this idea

I like this idea! Tell me when this idea gets some attention.
The more people who like this idea, the more it gets noticed.

The company has this under consideration.

Create a customer community for your own organization

Plans starting at $19/month

Remove Inappropriate?
Delete or Edit

Chris Messina replied on September 05, 2008 05:48

And by "authentication", I know you mean "authorization". ;)

But yeah, I'd support something along these lines.

I’m eager

this is one of the best points

Add a comment This is one of the best points
Remove Inappropriate?
Delete or Edit

josephholsten replied on September 05, 2008 13:28

I don't really, but I also try to stay out of the business of telling people that they're using the wrong words, I always get in trouble that way. But since you bring it up, OAuth's usage of the terms is inconsistent with usage in academics circles. See here: http://www.duke.edu/~rob/kerberos/aut...

More traditionally, authentication is just the vetting of an identity, where authorization is the stating of rights afforded to the identity. A common implementation is Kerberos for authentication and LDAP for authorization.

BTW, I'd love more nuanced rights (read vs write) over different resources (activity vs passwords) so that authorization could occur.

I’m anxious for progress

this is one of the best points

1 Comment Add a comment This is one of the best points
Remove
Chris Messina commented on September 05, 2008 14:33

Yeah, the distinction is an important one, but we make it intentionally, to separate OAuth from OpenID, among other solutions, for example.

As well, as long as you have the proper tokens or keys, you can access an account, but those tokens or keys can be restricted, so while there's a hint of "who you are" necessary to apply permissions, OAuth is really more (in my thinking of its benefits) about "what you can do".
Remove Inappropriate?
Delete or Edit

Benjamin Stover replied on September 06, 2008 03:58

Getting back on topic, I think it's a great idea. I'm no big fan of being a walled garden of information, and opening up your data would allow other developers to write software for platforms we don't currently support (hello iPhone!).

But here's the rub: OAuth is a technology that is meant to circumvent the anti-pattern of software (whether it's a desktop app or a web app) asking for web site passwords. Yet on myVidoop, we unashamedly encourage you to store your passwords on our website. In a perfect world, you wouldn't have to have too many passwords to remember so you wouldn't need a password manager to help you out (we want this world as bad as you do). In our current sort-of broken world, we have to weigh the pros and cons of sharing passwords with a website (or any software for that matter). I share my passwords with myVidoop because I'm better off overall: I can have a distinct, secure password for every website I go to. I'd share my passwords with a backup service because I want to have redundancy. I'd share my passwords with an iPhone application because I want a good way to sign into websites from my iPhone.

But where's the line? Where should we break the anti-pattern and where should we respect it? What are some steps myVidoop can take to guard me against phishing attacks? Whose fault is it if my passwords are stolen from a backup service using myVidoop's API: myVidoop, the backup service, or me?

I'll stop myself here since this is quickly turning into an essay, but I hope I've conveyed our dilemma. I'm very excited to see a thread on this topic, as I bet you brilliant folks have something helpful to contribute.

I’m in deep thought

2 people think this is one of the best points

4 Comments Add a comment This is one of the best points
Remove
Benjamin Stover commented on September 06, 2008 04:10

^ All of the above refers to sharing passwords through an open API. Sharing profile information is a little less scary :)
Remove
Chris Messina commented on September 09, 2008 08:03

I think that the big thing here is around making sure that people 1) have access to their data when they need it and 2) deciding whether we trust people with their own data or not. Google tends to; Facebook does not. You have to toe a very fine line when you start telling people that you know better than they do. They just might call you on it.
Remove
josephholsten commented on September 11, 2008 21:35

I understand that business logic, technical coolness & security concerns aren't always aligned. But it looks like 1password is going to start doing this very thing, even hinting at a javascript client like yours. Their service is in closed beta at https://my.1password.com/ BTW, that's not peer pressure. I just hope that by examining them, you can make a secure business out of cool tech.
Remove
Chris Messina commented on September 11, 2008 21:58

I love 1Password, so I'm certainly aware of what they're doing (and inspired by it).
Remove Inappropriate?
Delete or Edit

josephholsten replied on September 08, 2008 01:06

One of my main interests is having an hcard importer for profiles. I know you guys can't adopt every trendy tech. But I can't do it without an API. Baby Steps?

I’m patient

this is one of the best points

1 Comment Add a comment This is one of the best points
Remove
Chris Messina commented on September 09, 2008 08:02

+1 to baby steps -- especially around profile data, now that we'll have a standard API for this kind of stuff: http://portablecontacts.net!