ubuntu-phone team mailing list archive

[Alberto Mardegan <alberto.mardegan@xxxxxxxxxxxxx>]

On 08/20/2014 12:09 AM, Michał Sawicz wrote:
> W dniu 19.08.2014 o 16:32, Daniel Holm pisze:
>> Since I don't really know that that means anyways I'm inclined to ask
>> what the issue with http(s) auth would be; that we would have to store
>> username and password instead of a key?
> 
> Yes, and not having control over what has access to (what) in your
> account. Basically until you change your password, the account service
> has full access to your ownCloud.

In Ubuntu Touch case, this is not 100% correct: while it's true that you
cannot control what an application will do once it gets the ownCloud
username and password, we *do* control what applications have access to
the ownCloud account.
When the account is first created, no application can use it. Once an
application requests to use the ownCloud account, the user will be
presented with a visual choice (authorize the app for this account,
authorize the app for a new ownCloud account, or deny). Until the access
is authorized, the application will not be able to retrieve the ownCloud
password.

(OAuth is generally better because it has the concept of "permission
scopes", but OTOH not all services using OAuth make use of that feature)

Ciao,
  Alberto