Re: OAuth from John Panzer on 2008-02-12 (public-appformats@w3.org from February 2008)

From: John Panzer <jpanzer@acm.org>
Date: Tue, 12 Feb 2008 09:15:57 -0800
To: Jonas Sicking <jonas@sicking.cc>
CC: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <47B1D44D.4030200@acm.org>

The 3 second summary:  OAuth lets you delegate access to a service which 
does things on your behalf, without needing to give up your username and 
password.

The service which does things on your behalf is today typically another 
server.  However, there is no reason why the service couldn't be a 
script running in a web page.  Well, the one reason it's problematic 
today is that we don't have AC4CSR.  Given AC4CSR, a script running in 
the context of a web page could obtain permission from the user 
(represented by a token and token secret pair) and prove ownership of 
the token by signing requests it makes to a 3rd party site.

For a real world example today, look at Flickr.  (OAuth is a superset of 
Flickr auth.)  A script sends a user off to Flickr to get their 
authorization to retrieve their private pictures; Flickr returns a token 
which grants access to the script; and the script then retrieves the 
pictures.

Even in the case where there are two servers involved, it would be 
useful to allow for AC4CSR.  If all the data is ultimately going to be 
processed and presented by a script, it may be far more efficient to 
have server A sign the request and return it back to the script to issue 
against server B, than it is for server A to proxy the entire HTTP 
transaction.

John

Jonas Sicking wrote:
> Hi Folks (and John Panzer in particular),
>
> OAuth has been brought up a couple of times in this mailing list 
> lately, though every time very deep in a thread on some related subject.
>
> I'd like to understand what the use case of using OAuth together with 
> something like cross-site XMLHttpRequest. From my, very brief, 
> understanding of OAuth it's mostly about server-to-server 
> communication. Basically creating a way to let one server fetch a 
> users private data from another server. Like letting printing.com 
> fetch my private images from flicr.com. After getting my consent of 
> course.
>
> However I don't see how that would work with something lie cross-site 
> XMLHttpRequest, where there basically is only the browser and one 
> server involved.
>
> So would you mind explaining to someone who doesn't really know the 
> bells and whistles of OAuth exactly what you want to do. Please be as 
> detailed as possible.
>
> Best Regards,
> Jonas Sicking

Received on Tuesday, 12 February 2008 17:12:41 UTC