On 23 Feb 2009, at 05:15, Jon Ferraiolo wrote:
OAuth is a technology that authorizes someone to do something. For
example, an OAuth server might authorize you to cast a vote in an
election. Regarding authorization, in the most common case of W3C
Widgets, you would most likely use something like an OMTP/BONDI
policy file or some sort of platform-specific (maybe implicit)
policy to control authorization instead of OAuth. My thinking is
that you can ignore OAuth for now.
I think you're conflating policy and protocol here -- OAuth is a way
to share an authorization token (and really not much more); it doesn't
tell you how to write your authorization policies.
If I were on the committee, I would push to finish Widgets 1.0 as
quickly as possible, and then put OpenID and OAuth on the list for
things to consider for Widgets 1.1.
+1
OAuth seems most relevant to XMLHttpRequest level 2, and much less
relevant to the widget specs.
