Not to "derail" the open-id idea I think we
should support oAuth 100%
and it certainly would help with persistent applications and scalability...
But ...for the most part you can build these types of applications in
pure javascript. Anytime you need to run an api action that requires
you to be on the target domain you call a bit of code to iframe proxy
that action on the target domain and communicate its results to the
client domain with another iframe back to the client.
That is fine for applications that require user interaction, but one
of the major benefits of OAuth is that an application can do an action
on behalf of a user without their direct interaction; they don't even
need to be logged in. Also, OAuth is a standard that is becoming
fairly widely used. We shouldn't force third parties to use our custom
made solution.
That said, the javascript solution could be useful for lightweight
applications that don't need to do actions on a user's behalf without
direct interaction.
Respectfully,
Ryan Lane