W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Re: Delegated authorization ? Was: - Re: delegated authentication

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 13 Jul 2012 22:09:52 +0200
Cc: Sebastian Tramp <tramp@informatik.uni-leipzig.de>, Andrei Sambra <andrei@fcns.eu>, public-webid <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
Message-Id: <10BC8CFE-56A2-43CF-92B7-266C1E551B7A@bblfish.net>
To: Olivier Berger <olivier.berger@it-sudparis.eu>

On 13 Jul 2012, at 16:46, Olivier Berger wrote:

> Hi.
> About the naming scheme for all these delegated cases, and this time
> refering to the discussions about secretaries / agents acting on behalf
> of users (and not about the simple delegated authentication I've just
> posted about in another thread), may it make sense to call that
> "delegated authorization" for the more general acceptions ?

Yes, that makes sense

> Also, I didn't see OAuth [0] mentioned so much in what I've read so far.

Because I have not studied it. Is it close? Have we covered OAuth with one
Relation in WebID? That would be cool!

> Still I very much think OAuth has indeed been built to allow (web) apps
> to act on other services on behalf of users, once they have delegated
> them some sort of a token to act on their behalf in the background.

I'd be interested to know how they compare. I am going to soon work some
more on OAuth. Whenever I asked others I came to understand that OAuth
requires some behind the scenes negotiation, which our webid delegated 
authentication with the secretary relation does not.

> Again, can we same much of the low-level implementation details (like
> signature or REST invocations between various agents) from OAuth ?
> So maybe my WebID can describe the kind of delegation of authorizations
> I grant to particular services/agents/secretaries (identified by their
> own RDF description) in a standard and interoperable way (RDF ACL
> kinds), instead of just creating various ad-hoc OAuth tokens in the
> different databases of the different apps where I want these agent to
> act on my behalf, but then all the communication between the agents and
> the apps would occur over OAuth signed invocations : no need to reinvent
> the already specified protocol ?

Could be. If adding one relation to WebID gives us OAuth, then you could
consider that we just simplified OAuth. I'll let you know more when I 
considered it in more detail.

In any case one should be able to link data enable OAuth. That could be interesting.

> Does this make sense ?
> Hope this helps.
> Best regards,
> [0] http://tools.ietf.org/html/rfc5849
> Henry Story <henry.story@bblfish.net> writes:
>> On 23 Jun 2012, at 17:11, Sebastian Tramp wrote:
>>> On Sat, Jun 23, 2012 at 11:54:59AM +0200, Andrei Sambra wrote:
>>> Hi all,
>>> since we discussed this problem e.g. at the FSW in Berlin and on other places,
>>> I had some material about webid delegation already finished.
>>> I've created a wiki page here:
>>> http://www.w3.org/wiki/WebID/Delegation
>> Great work! Thanks.
>>> I've added an extended sequence image and some structure and hope we can take
>>> this as a base for future discussion. Also note that we have this implemented
>>> since 3 years in OntoWiki (to allow inter-OntoWiki communication) but with
>>> other namings. Currently, Phil is reworking this part so that others (e.g.
>>> Andrei) can use that too (the link is added to the page too)
>> Great. yes, we should try to come to agree on some naming scheme.
>> I hope to be able to implement this soonish. The read-write-web rewrite 
>> in Play 2.0 is moving ahead.... Then we can test and write it out nicely.
>> But don't let my slowness slow you down :-)
> -- 
> Olivier BERGER 
> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
> Ingenieur Recherche - Dept INF
> Institut Mines-Telecom, Telecom SudParis, Evry (France)

Social Web Architect
Received on Friday, 13 July 2012 20:10:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:40:01 UTC