At SetJam we use OAuth to link to your Netflix account. To simplify this process for the user, our head of UI suggested we just frame the whole OAuth experience and present it as a light box that swaps out the various elements as someone authenticates. For those of you who understand what the above means, you can probably imagine this caused a bit of discussion in the office. For those of you who think the above is a bunch of gobbledygook, let me explain, since this post is for you.
OAuth is a specification that allows a site like SetJam to manage resources for you on another site (in this case, Netflix). In order for us to be able to do this, Netflix needs to know that you trust SetJam. The cool thing about OAuth is that it allows you to tell Netflix that you trust SetJam WITHOUT having to give us your Netflix username and password.
This is good for you because if you decide you don’t want to use SetJam to manage your Netflix queue anymore (as preposterous as that sounds!), you can just tell Netflix and we have no personal information about you. This is good for SetJam too because we have no personal information (and thus nothing that can get stolen).
In order to establish this trusted relationship, you need to tell Netflix that you trust SetJam, and here’s where the issue begins. One way to do this is for SetJam to pop open a brand new browser window and take you to Netflix where you can enter your username and password. Once you do, Netflix will confirm that the relationship has been established and direct you back to SetJam.
The above SOUNDS simple but it really doesn’t FEEL simple. No matter how we implement this, your browser settings will mess it up. The new window will pop up in a new tab for some, for others the new window will get lost, and when (if) you return, many of you will have your Setjam window automatically resized to an unusable dimension. We can do things to minimize this, but you’ll feel a little disoriented. I might even say deceived.
To prevent this, we can technically contain this entire experience in a simple dialog that hovers over your SetJam (which is where you started and really want to be). The dialog pops up, you agree, it goes away. No harm done right?
Well, technically there is a problem. How do you KNOW that the little dialog that popped up was really from Netflix and not an evil attempt by SetJam to STEAL your Netflix credentials? The answer is you don’t. The reason the OAuth community prefers that we open up a new window is that if you look at the URL in the window (the place you type in a site’s name), you would see that it says www.netflix.com* and know that you are giving your credentials to Netflix.
Or would you? I would! Other technologists would! But would you? Would you even notice? If you noticed would you care? The answer for the VAST majority of the world is of course, no. In fact to an average person, getting taken to an ENTIRELY other site with some weird little dialog floating in a big page is EXTREMELY suspicious. The real site you are trusting to do the right thing is SetJam (not weird pop-up window site).
The real problem is with OAuth itself. The OAuth community made a compromise—lighter security for lighter implementation. This was a VERY good decision, as it allows small companies like SetJam to do amazing things. The problem is when technologists, in an ill-fated attempt to promote OAuth as a truly secure technology, make it unusable.
I’m sympathetic with the community’s position. They don’t want people to get used to framed implementations from trusted sites like SetJam, because then it will feel natural when a malicious site does the same thing for the wrong reasons. The community, however, is deluding itself if it thinks that having an exposed URL is going to do anything to prevent this.
My belief is that OAuth consumers have a choice: Create a confusing, suspicious feeling, and entirely phishable OAuth implementation OR create a simple, seamless, and entirely phishable OAuth implementation. For the sake of the emerging seamless web toward which everyone in the OAuth community is working, I think the choice is clear.