Good points. I have long thought OAuth was slightly nuts on principle alone. Training users to trust the untrusted software to redirect them safely is in itself a bad idea. Worse, some solutions remove the chrome and, hence, address bar on the target site, so users can't even readily see that they are on the proper site before entering their credentials. This just encourages bad user habits and recklessness with credentials.<p>The generated key, copy and paste solution is one we used to integrate our site with our FB app before FB offered its OAuth style authentication. This alllowed them to pull data from our account with us for viewing on the FB side. Worked well, was simple, and much less hackable.