> The reasoning behind this is that while "scope" is a common approach, > it's not the only approach. For example, I may want to simply limit > access to "read-only/write-only/read-write", or maybe (e.g., for > academic article databases) "link/abstract/full article", or any > number of other possibilities and intersections. There's no way that > OAuth could or should describe these possibilities.
But... could not all operations be reduced to a set of HTTP operations on URLs? As HTTP verbs against a representation? It seems anything that you want to manipulate should be able to be represented itself as a resource. Although I have mellowed a bit, one of my pet peeves around OAuth is that the protocol doesn't follow this web philosophy. It's a trade-off I am sure, but I would have loved it if the standard had decoupled the token issuer from the token verifier. In that way, you would not need the dance of triage; the consumer simply present a correct token to access a resource. "Correctness" can be ascertained solely from the presented token + presenter's identity. In that way the token can be issued by anyone at anytime. SAML and Kerberos anyone? ;) Hans --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
