Re: [widgets] OAuth and openID

[Jon Ferraiolo]

Hi Marcos,
I'll take a crack at this.

OpenID is a technology that authenticates your identity. The cool thing
about OpenID is that multiple web sites can share the same identity system,
which makes it so that there can be a single mar...@myopenidwhatever.com
instead of dozens of separate IDs for you (mar...@google.com,
mar...@yahoo.com, etc.). A "competitor" to OpenID is a login/password
screen served by a single web site. With W3C Widgets, you might use OpenID
if you have to establish an identity before a widget can be installed; for
example, you might have to login to the Apple AppStore (or some other
store) before you downloaded a widget from there, and maybe the store
supports OpenID. After installation, while a widget runs, the widget (or
its server) might periodically need to ask you to enter a login/password to
confirm who you are. The login/password software might use OpenID. This
might be where Dan sees a problem - OpenID requires browser redirects to do
its magic. You might need a list of allowed domains (i.e., at least 2) to
support OpenID for this sort of repeated server login.

OAuth is a technology that authorizes someone to do something. For example,
an OAuth server might authorize you to cast a vote in an election.
Regarding authorization, in the most common case of W3C Widgets, you would
most likely use something like an OMTP/BONDI policy file or some sort of
platform-specific (maybe implicit) policy to control authorization instead
of OAuth. My thinking is that you can ignore OAuth for now.

If I were on the committee, I would push to finish Widgets 1.0 as quickly
as possible, and then put OpenID and OAuth on the list for things to
consider for Widgets 1.1.

Jon





                                                                       
             Marcos Caceres                                            
             <marc...@opera.co                                         
             m>                                                         To
             Sent by:                  "public-webapps@w3.org"         
             public-webapps-re         <public-webapps@w3.org>         
             qu...@w3.org                                               cc
                                       Dan Brickley <dan...@danbri.org>
                                                                   Subject
             02/22/2009 07:11          [widgets] OAuth and openID      
             AM                                                        
                                                                       
                                                                       
             Please respond to                                         
             marc...@opera.com                                         
                                                                       
                                                                       




Hi,
I recently spoke to Dan Brickley who raised concerns wrt to using
OAuth authentication flows and support open ID. I've only had very
limited exposure to these technologies, so I am not the best to
comment about how they would work with widgets, but I'm starting this
thread so we can discuss ideas.

Dan, it would be great if you could outline the problem as you see it?

Kind regards,
Marcos

--
Marcos Caceres
http://datadriven.com.au

<<inline: graycol.gif>>

<<inline: pic14024.gif>>

<<inline: ecblank.gif>>