Much simpler indeed. This skips OAuth entirely. XMPP controls your
roster, your nodes, and who has access to these (read/write
privileges).
However, if the photos are hosted in Flickr *and* you want to restrict
this access to some groups, then you have to delegate access control
to Flickr some way. In this case, OAuth would be recommend.
Right, but I don't believe there's a mechanism for this. Really what
I'm saying is, I have a roster group and only want those JIDs to have
access, but I also don't want to give Flickr access to my roster. So
I want to use something like OAuth to allow flickr to authenticate
against my roster somehow without being able to read my roster.
This is more than just allowing Flickr to publish to some node, this
is further authenticating ON the flickr site based on my roster.
I take it from the this and the prior post that the expectation is
that pubsub nodes are hosted by the server controlling the JID that
owns the node, which makes sense.
thanks,
Adam
Best regards,
Nick
On Tue, Jul 8, 2008 at 8:24 PM, Nathan Fritz <[EMAIL PROTECTED]>
wrote:
It's simpler than that. You would "affiliate" Flickr's XMPP
bot/component/whatever as "publisher" to the node
(http://www.xmpp.org/extensions/xep-0060.html#owner-affiliations-modify
).
Of course you don't want Flickr controlling your roster! And so if
you want
Flickr to be able to control which JIDs are subscribed to this node
(you
wouldn't want to do that, would you?), then you'd have to make
flickr an
administrator of the node and use whitelist or authitication access
models.
However, I wouldn't see any need for Flickr to control who
subscribes to
this node and not, as it is your business.
On Tue, Jul 8, 2008 at 3:34 PM, Adam Pisoni <[EMAIL PROTECTED]> wrote:
This topic has been covered before loosely, but I have some
questions I
was hoping people could opine on as far as how they see the future
working
out. I'm currently working on a messaging product which relies
heavily on
XMPP and eventually PubSub. We're also looking at PEP and other
ways to
consume/expose our data in a brave new PubSub world of federated
social
networks. This has led to a lot of interesting questions.
Imagine [EMAIL PROTECTED] posts an image to flickr. Bob
has many
friends who might be interested in that. In a PubSub world, those
friends
would subscribe to a node somewhere which flickr would publish
to. Bob's
friends would subscribe to that node. Here's where the questions
start.
Do people imagine that node living on flickr or on
somejabberhost.com?
There are benefits to both. Imagine this particular node of
Bob's is
private. He only wants to allow a subset of his roster to have
permission
to subscribe to that node. Lets say, from Bob's point of view,
he has a
roster group called Family who he wants to give permission to. If
somejabberhost.com hosts that node then it would be easy for Bob
to say he
only wants his Family roster group to have access to his
images_stream node.
He also would need a way of authorizing flickr to publish to that
node on
his behalf (OAuth) Of course now Flickr can't further
authenticate users
for Bob since flickr doesn't know or have access to Bob's roster.
Nor would
Bob want flickr poking in his roster.
We tried to imagine a scenario where Bob could give Flickr
permission
(perhaps using OAuth) to authenticate people against his roster
(without
flickr being able to read his roster fully). All of that seems
complicated
though.
If Flickr keeps the node, then you have the same issues of Flickr
not
having any knowledge of Bob's roster.
I know there may not be answers for these questions yet. I guess
I'm just
wondering what people think logical solutions might be. Or maybe
there are
answers.
Thanks,
adam
