I am not a security expert and I am just starting to get into oAuth and the different ways social sites can be cross authenticated with social applications. I have played with Facebook and Twitter using oAuth which work great for my blog other sites.
xAuth is interesting because it is basically the same thing as oAuth but skips the request_token and authorize steps.
The problem, from what I know is, the “request_token and authorize” steps seem pretty important. This is where the user basically accepts the application requesting access.
Why is this cool? Well, imagine an on premise application (one that is behind the firewall) that wants to integrate with Twitter, LinkedIn or Facebook. It simply won’t work since none of those applications can call back into the site behind the firewall. xAuth would solve this.
Now, if an application is well known and the key is truly kept secret then I guess xAuth could be used. With a world of “leaks” and lack of employee trust, I simply can not see xAuth being a viable way to achieve authentication.