On Sat, Dec 4, 2010 at 11:44 AM, Steven Cummings <[email protected]>wrote:
> On Dec 4, 12:57 pm, Rasmus Lerdorf <[email protected]> wrote: > > Your 3-legged issue is very standard practice, is it not? A user will > > authorize a client app to act on her behalf. Once that authorization > > has been granted her presence is irrelevant. If she no longer wants to > > allow the app to act on her behalf she can revoke the access token. > > > > Yes, I thought this was very straightforward too. The question was > more generally, outside of the redirect scenarios described in the > spec are there any other common mechanisms for this "async" situation. > It's not just that the user doesn't always have to be there (duh), but > is it inappropriate for the user to proactively provide the grant for > the OAuth consumer to "pick up" and user later? I.e., is it > appropriate to decouple their temporal proximity at the oauth provider > altogether? > > AFAICT, that's a key use-case for OAuth. Just tell the user how long the authorization is for at the authorization stage -- a minute or a millenium is "OK". To extend the canonical example, this would let you schedule a nightly backup of your pictures from one site to another. -- ReC -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
