Hello all, I have a question about a possible use case of OAuth.
The standard use case which is outlined thoroughly in the spec, is a
client asking a resource owner for access to their information from the
resource server. But, what about the case where a client/resource owner
wants to share a particular resource with another, and potentially
unregistered, user?
An example illustrating what I mean:
An application allows users to upload various templates of documents.
And, by using an API, a user can send various types of media (e.g.,
tweets, FB pictures) to be inserted into said templates, thus creating
new documents on the fly.
Now, imagine a user in this application has various customers they wish
to give access to a certain template. To achieve this, the user creates
a token for each customer -- which could be locked down to a certain
template, IP, domain, number of uses etc -- and delivers each token to
the corresponding customer.
Has anything like this been mentioned before? And if so, what was the
suggested "dance?"
From what I know, I'd imagine using bearer tokens and locking them to
some of the conditions listed above would be best, but I'd like a more
professional opinion.
Thanks,
-David Fox
PS, after re-reading the spec, I found a typo:
Section 2.1: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-2.1
The authorization server MAY provider tools to manage such complex
clients through a single administration interface.
I believe this should be:
The authorization server MAY provide tools to manage such complex
clients through a single administration interface.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
