> I think jrockway is saying that because with Oauth, you shouldn't normal have a users password at all, if a user's password leaks from a given app then the app author won't have an excuse and thus would be banned from the app.
While I understand what he's saying, I don't think the risk assessment makes any sense. When is the last time you heard of a native application leaking passwords in a way that made them accessible to someone who didn't already have access to your desktop or mobile phone?
> On the other hand, I know nothing of Xauth. It too may allow you not to save passwords.
With xAuth, you exchange the user's username and password for a revokable authentication token. The application can then use that token for future requests, discarding the provided username/password.
While I understand what he's saying, I don't think the risk assessment makes any sense. When is the last time you heard of a native application leaking passwords in a way that made them accessible to someone who didn't already have access to your desktop or mobile phone?
> On the other hand, I know nothing of Xauth. It too may allow you not to save passwords.
With xAuth, you exchange the user's username and password for a revokable authentication token. The application can then use that token for future requests, discarding the provided username/password.