Food for thought indeed.
I guess my take was that OAuth could equally well start the chain of
capability from an (at least partially standardized) http login. I
hadn't really expected it to generalize out to object-level perms ...and
it was my understanding that even Open ID relies on a TTP.
Thanks for the reply.
/esc
Meadhbh Hamrick (Infinity) wrote:
but seriously. OAuth is a step in the right direction, but...
a. it depends on HTTP. we think linking application level objects
(like application object access control metadata) with a specific
transport is a bad idea.
b. as far as i can tell, it doesn't have a resource for managing
distributed access-control tokens. there seems to be an assumption
that all access control will be managed by the same administrative
party. that being said... there appears to be nothing in the spec to
PREVENT you from adding this feature, and I've pinged the OAuth peeps
from time to time about it, so who knows.
c. OAuth is for securely transporting object access control metadata,
OGP Authentication is for authenticating an end user to a service
cloud. OGP Auth is actually a little closer to OpenID than to OAuth.
But i think you're asking... why not return an OAuth compliant PDU as
a result of successful OGP Authentication. hmm... no reason it can't
be done from a protocol perspective, but we would have to get with the
OAuth people and get them to fix problems a and b above before we
would likely deploy something like that.
-cheers
-meadhbh
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting privileges
