There were some good discussions at IIW this week about direct login methods for clients in general and also about if OpenID should support such methods.
Keeping aside the phishing, untrusted clients issues and in general good principles we follow in the Identity world, here are the reasons why i think we need to provide 'direct' login methods (with redirects and UI):
- not all clients have access to a browser/browser control objects
- user exp is considered as broken when a client app opens an external browser window
- even though some clients could embed browser control objects with themselves, not all can do that (flash apps, mobile app, ...)