Below is a scenario that captures most of the key aspects that I believe OAuth specs should support. [Some might recognize it from 19 months ago on the OAuth googlegroups list]
Consider an app (the client) that adds pretty frames to photos. The app understands Atom feeds that hold collections of photos, and industry conventions for marking-up thumbnails, captions, and links to JPEGs. The app also implements the OAuth protocol. While it has some special code for a handful of popular photo sites, it has no special knowledge about the photo service that Alice uses. Alice’s photo service does provide URIs for each of Alice’s albums and photos. 0. Alice pastes a URI for her private photo album into the app. 1. The app makes a GET on the URI. 2. The album is private so a 401 is returned, but with a WWW-Authenticate header indicating OAuth support and providing authorization and access URIs. 3. The app redirects Alice to the authorization URI it just got. 4. Alice approves the app, perhaps with text from the service cautioning that it does not know much about this app. 5. The app detects when it has been authorized. 6. The app collects an access token (probably from the other URI received in step 2). 7. The app retries the original GET for the photo album, this time with delegation credentials. 8. The request succeeds - the app can read the photos and show them in pretty frames. Various variants of the app run on a web site, desktop PCs, on mobile phones, and on other devices. A major barrier to the interoperability between this app and Alice’s photo service with OAuth 1 was the need to pre-configure the service-specific OAuth URIs into the app. It’s fine if an app can skip a step or two with service-specific knowledge. It’s fine if a particular service only accepts pre-registered apps. The OAuth IETF spec, though, also needs to cover the above scenario of an app and service interoperating despite not previously knowing each other. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
