On Mon, Feb 2, 2009 at 9:20 AM, Hans Granqvist <[email protected]> wrote:
> > > The reasoning behind this is that while "scope" is a common approach, > > it's not the only approach. For example, I may want to simply limit > > access to "read-only/write-only/read-write", or maybe (e.g., for > > academic article databases) "link/abstract/full article", or any > > number of other possibilities and intersections. There's no way that > > OAuth could or should describe these possibilities. > > But... could not all operations be reduced to a set of HTTP operations > on URLs? As HTTP verbs against a representation? > > It seems anything that you want to manipulate should be able to be > represented itself as a resource. Although I have mellowed a bit, one of > my pet peeves around OAuth is that the protocol doesn't follow this web > philosophy. I'm curious what you think about Ian McKellar's concept of "authorized changesets": http://ianloic.com/2009/01/05/a-different-model-for-web-services-authorization/ The time delay to approve the changes sounds less than ideal, but still worth contemplating. > It's a trade-off I am sure, but I would have loved it if the standard had > decoupled the token issuer from the token verifier. In that way, you would > not need the dance of triage; the consumer simply present a correct token > to access a resource. "Correctness" can be ascertained solely from the > presented token + presenter's identity. In that way the token can be issued > by anyone at anytime. > > SAML and Kerberos anyone? ;) I don't think that that's the behavior that we saw in the wild. Perhaps it's something to bring up on the OAuth list for future work? Chris -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
