Peter Saint-Andre wrote:
On 1/21/10 6:08 PM, Jason Eacott wrote:
Oauth is all about impersonating other users, thats all it does!
False. OAuth is about delegating access to protected resources so that
another entity can have restricted authority to perform a given task
(the canonical example is granting a printing service access to your
online photos). OAuth is not about impersonation, it is about delegated
authorization. Those two things are very different.
Peter
fair enough,
but in practice is there really much distinction? granting a printing
service access to photos, granting another service limited access to my
private xml data store, granting another service to create pubsub nodes
with me as the owner, etc.
The upshot of it all is that after authority is delegated, the
authorised proxy is allowed to act on the users behalf for whatever it
has been given permission to do.
For me I dont see the difference. I didn't state categorically in this
last post that the proxy can only act in limited ways (if the user
offers only limited authority to the service), but I dont think it
changes the fact that at the end of the process a service is allowed to
act on behalf of a user (various oauth api's make this feel very much
like simply switching user hats - now I'm user x. do ...).
my point is that if xmpp embraced something like this then components
and external services could actually use things like the private xml
storage of any user that offered authority, but instead the only options
I know for such a service is to either reinvent xml data storage, deploy
as a client app, or convince its users to handover user credentials.
previous posts in this thread have said there are other options
available but I don't yet know what they are.
