Simon Willison’s Weblog

OpenID: Now more powerful and easier to use! The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age.

# 25th September 2009, 9:08 pm / google, hybrid, identity, myspace, oauth, openid, yahoo

Google wants your Hotmail, Yahoo and AOL contacts. And they’re using the password anti-pattern to get them! Despite both Yahoo! and Hotmail (and Google themselves; not sure about AOL) offering a safe, OAuth-style API for retrieving contacts without asking for a password. This HAS to be a communications failure somewhere within Google. Big internet companies stand to lose the most from widespread abuse of the anti-pattern, because they’re the ones most likely to be targetted by phishers. Shameful.

# 15th September 2008, 10:39 am / aol, ffs, google, hotmail, oauth, passwordantipattern, phishing, security, shameful, yahoo

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords?

# 12th October 2007, 9:25 am / gmail, google, jeremy-keith, oauth, passwords, phishing, yahoo