On Fri, Mar 19, 2010 at 1:28 PM, Ethan Jewett <[email protected]> wrote:
> I don't think so. In the OpenSocial case, the only "OAuth Consumer"
> per se is the OpenSocial container. The gadget is not making signed
> requests and is completely trusting the container to represent it
> properly to the OAuth Provider. In other words, from an OAuth request
> flow perspective, the gadget is pretty much irrelevant.
I think the opensocial use cases are interesting for two reasons.
1) They use signed identity claims.
MS has done this with SWT.
Lots of people have done this with OpenID and SAML.
UMA is using signed tokens with identity claims.
2) They have trusted containers that do OAuth on behalf of applications.
This is a powerful security tool - the gadgets get short-lived
access to data, the containers hold the long-lived secrets. WRAP also
lets you do this.
Cheers,
Brian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
