Hi Eve, Thanks for pointers.. I've been following the work done in UMA.. Sure.. will join the webinar...
BTW .. I am not quite sure UMA addresses my use case. Even in the case of UMA it's client initiated or requestor initiated... Please correct me if I am wrong... but in OAuth specification there is no restrictions to identify the 'client' as a person, organization or as him self.. In my view - this is an extended grant type..which has two phases.. 1. Resource owner grants access to a selected a Client 2. Client requests the already available access token for him from the Authorization Server.[just like passing the refresh_token] WDYT ? Thanks & regards, -Prabath On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler <[email protected]> wrote: > Hi Prabath, > > As far as I know, OAuth itself generally isn't used to let one human > resource owner delegate access to a different human resource owner. > However, UMA (which leverages OAuth) does strive to solve exactly this use > case, among other similar ones; we call this one "person-to-person > sharing", and you can read more about it here: > http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1 > > The UMA flow at run time still ends up being effectively > "client-initiated" (we would say requesting-party-initiated, using a > requester app) because the original resource owner (we call it an > authorizing party) is no longer around by then. The authz party would set > up policies at some point before going on vacation, and these polices would > enable the requesting party to "qualify in" for access at run time, by > supplying identity claims that get used in an authorization check by the > authz server (authz manager). > > We'll be walking through UMA flows and demoing an extensive use case at a > webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg > > Hope this helps, > > Eve > > On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena <[email protected]> wrote: > > > Hi folks, > > > > I would like to know your thoughts on the $subject.. > > > > For me it looks like a concrete use case where OAuth conceptually does > > address - but protocol does not well defined.. > > > > Please find [1] for further details... > > > > [1]: > http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html > > > > -- > > Thanks & Regards, > > Prabath > > > > Mobile : +94 71 809 6732 > > > > http://blog.facilelogin.com > > http://RampartFAQ.com > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
