On Tue, Jul 1, 2008 at 3:33 PM, Dirk Balfanz <[EMAIL PROTECTED]> wrote:
> I disagree. The principal represented by the consumer has even less to do
> with the principal making the request than the original delegater.
Presumably the service provider has a database that records that user
U delegated access to consumer C. In that case, knowing who the
consumer is will be sufficient to know what access rights they have.
Or maybe not. Maybe the SP will need to see the access token to figure
that out. Both modes are reasonable, so we should support both.
> you mean getUserPrincipal().getName(), right?
>>
>> getAuthType
>
>
> this would be HttpServletRequest, right?
Probably. =)
>> getOwner, getViewer, getGadget
>> getOAuthMessage().get("oauth_consumer")
>> getOAuthMessage().get("oauth_token")
>> etc...
>>
>
> I was more leaning toward something like having a method checkAccess(String
> httpMethod, String pathFromUrl) on that principal object, but mostly I would
> suggest crossing the authorization bridge when we get there. For now, let's
> just worry about authentication.
Sounds fine. Just so long as the Principal object has references to
all of the various bits of stuff that came out of the authentication
process (e.g. an authenticated OAuthMessage or GadgetSecurityToken),
we should be fine.
