Just so you know, there's frame-busting code in the login page to prevent that sort of thing anyway.

As web developers we have a shared responsibility to help our users stay safe on the internet. This is becoming ever more important as people move more of their lives online.

It's an almost sisyphean task. If you want to avoid online fraud, you need to understand an enormous stack of technologies: browsers, web pages, links, URLs, DNS, SSL, certificates… I know user education is never the right answer, but in the case of the Web I honestly can't see any other route.

The last thing we need is developers making the problem worse by encouraging unsafe behaviour. That was the whole POINT of OAuth – the password anti-pattern was showing up everywhere, and was causing very real problems. OAuth provides an alternative, but we still have a long way to go convincing users not to hand their password over to any site that asks for it. Still, it's a small victory in a much bigger war.

If developers start showing OAuth in an iframe, that victory was for nothing – we may as well not have bothered. OAuth isn't just a protocol, it's an ambitious attempt to help users understand the importance of protecting their credentials, and the fact that different sites should be granted different permissions with regards to accessing their stuff. This is a difficult but critical lesson for users to learn. The only real hope is if OAuth, implemented correctly, spreads far enough around the Web that people start to understand it and get a feel for how it is meant to work.

By implementing OAuth in an iframe you are completely undermining this effort – and in doing so you're contributing to a tragedy of the commons where selfish behaviour on the behalf of a few causes problems for everyone else. Even worse, if the usability DOES prove to be better (which wouldn't be surprising) you'll be actively encouraging people to implement OAuth in an insecure way – your competitors will hardly want to keep doing things the secure way if you are getting higher conversion rates than they are.

So once again, please don't do this.

More and more browsers are adding security indications to the URL bar, and teaching user to pay attention to it is already a good idea.

Easy isn't always good, and as Parsingphase points out; this iframe float will only teach users to trust "check if your computer is infected" adds.

This is not a weakness of Oauth; it goes deeper, into the structure of the web and the browser. But you're not going to make it better this way.

Seriously, teach a man to get phished and you'll **** him up for life.