- i'm logged in to a.com
- now i'm on b.com
- b.com accesses my localstorage and sees that i'm logged in to a.com
- and asks me if i want to download my pictures from a.com
1- what if i don't want b.com to know that i have all those accounts on my local storage?
2- if a.com specifies the sites that can see the token how the hell a.com supposed to know, what sites their users will go to?
3- what prevents b.com not authorizing itself without asking me (it already has access to whatever token is stored by a.com), if my token is only a weak one, - what's the use of it except letting b.com know that i'm logged into a.com? - if no authorization can occur with this token how can xauth can be compared to oauth. Because with oauth i have to go back to a.com and specify that i want b.com to access my photos and post to my wall but it can not send me emails. where and when does this interaction occur with xauth?
4- do you think that oauth and xauth are crappy interim solutions that will be replaced by something totally new or do you think o/xauth 10.0 will be THE solution for connected web?
5- what would be your suggestion to a.com to give access to b.com - invest time and do o/xauth, or just write a function that produces two tokens and be done with it?
Thanks.
ps: i'd really appreciate answers from people who have implemented one or both of these solutions.