Pedro Melo wrote:
Hi,
On Fri, Jan 22, 2010 at 5:16 AM, Jason Eacott <[email protected]> wrote:
Peter Saint-Andre wrote:
On 1/21/10 6:08 PM, Jason Eacott wrote:
Oauth is all about impersonating other users, thats all it does!
False. OAuth is about delegating access to protected resources so that
another entity can have restricted authority to perform a given task
(the canonical example is granting a printing service access to your
online photos). OAuth is not about impersonation, it is about delegated
authorization. Those two things are very different.
fair enough,
but in practice is there really much distinction? granting a printing
service access to photos, granting another service limited access to my
private xml data store, granting another service to create pubsub nodes with
me as the owner, etc.
Yes, it is totally different. With impersonation you are the user, and
the services cannot know the difference and therefore you can't limit
what they can do as you. Impersonation is me using your login and
password.
Delegating access implies a different identification that has access
to your data, and the service can use that different identification
(and other data, like the oauth access token) to provide you with
limited access.
Bye,
sure - and with an oauth like system the target always knows.
I'll admit that in my original suggested approach that the target
service would not know, but it was a first rough, aimed for discussion,
and at trying to enable reuse of existing components without
modification. So suggest workable amendments or a workable alternative.
I sense more than a small amount of nastiness here, and I dont think its
warranted.
I know I'm not alone in thinking this particular issue is an important
missing capability of xmpp, but if nobody's interested in the discussion
then I'll drop it.
