I guess I don't fully understand, as OAuth is about "enabling delegated access to protected resources" [1]. If an application has an access token then it would seem that it should use it with its request. Given the browser context and the delegated UI resource, the request for this resource is done by creating an iframe and setting the src attribute to the delegated UI URL.
I'm not a strong advocate for this, I'm just arguing a position to make sure we are not putting constraints on some resource "types" and how certain class of clients access them. Also there appears to be some spec [2] to support this in OAuth already. An implementer came to me with this as an approach as well. [1] - http://tools.ietf.org/html/rfc5849 [2] - http://tools.ietf.org/html/rfc5849#section-3.5.3 Thanks, Steve Speicher | IBM Rational Software | (919) 254-0645 Jim des Rivieres <[email protected]> wrote on 01/06/2011 04:14:11 PM: > From: Jim des Rivieres <[email protected]> > To: Steve K Speicher/Raleigh/IBM@IBMUS > Cc: [email protected], Ed Gentry/Portland/IBM@IBMUS > Date: 01/06/2011 04:14 PM > Subject: Re: [oslc-core] OAuth and delegated UIs > > Since you mention the delegated UI sections, it bears noting that passing > OAuth parameters to request URLs (whether by header, body, or embedded in > the URL) does not make sense for web page URLs meant to be displayed in a > web browser; e.g., picker URLs. OAuth 1.0 is not about authenticating a > user in a browser talking to a server, but about authorizing servers > talking between themselves. > > Regards, > Jim des Rivieres > > > > From: > Steve K Speicher <[email protected]> > To: > [email protected] > Date: > 01/06/2011 02:44 PM > Subject: > [oslc-core] OAuth and delegated UIs > Sent by: > [email protected] > > > > It would be desirable if OSLC Core spec were to recommend (SHOULD) that > service providers be prepared to handle OAuth parameters embedded in the > request URI [1] > If a provider of the delegated UIs didn't support this, it could just > ignore it. This would provide some improvements to usability where > setting up single solutions may not be available. > > I propose that we add this to the delegated UI sections (or maybe just the > > OAuth section)? > > [1] - http://tools.ietf.org/html/rfc5849#section-3.5.3 > > Thanks, > Steve Speicher | IBM Rational Software | (919) 254-0645 > > > _______________________________________________ > Oslc-Core mailing list > [email protected] > http://open-services.net/mailman/listinfo/oslc-core_open-services.net > > >
