W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] OAuth and openID

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Sun, 22 Feb 2009 20:15:03 -0800
To: marcosc@opera.com
Cc: Dan Brickley <danbri@danbri.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-webapps-request@w3.org
Message-ID: <OF173FE164.15E7169A-ON88257566.00147A86-88257566.00175A1C@us.ibm.com>

Hi Marcos,
I'll take a crack at this.

OpenID is a technology that authenticates your identity. The cool thing
about OpenID is that multiple web sites can share the same identity system,
which makes it so that there can be a single marcos@myopenidwhatever.com
instead of dozens of separate IDs for you (marcos@google.com,
marcos@yahoo.com, etc.). A "competitor" to OpenID is a login/password
screen served by a single web site. With W3C Widgets, you might use OpenID
if you have to establish an identity before a widget can be installed; for
example, you might have to login to the Apple AppStore (or some other
store) before you downloaded a widget from there, and maybe the store
supports OpenID. After installation, while a widget runs, the widget (or
its server) might periodically need to ask you to enter a login/password to
confirm who you are. The login/password software might use OpenID. This
might be where Dan sees a problem - OpenID requires browser redirects to do
its magic. You might need a list of allowed domains (i.e., at least 2) to
support OpenID for this sort of repeated server login.

OAuth is a technology that authorizes someone to do something. For example,
an OAuth server might authorize you to cast a vote in an election.
Regarding authorization, in the most common case of W3C Widgets, you would
most likely use something like an OMTP/BONDI policy file or some sort of
platform-specific (maybe implicit) policy to control authorization instead
of OAuth. My thinking is that you can ignore OAuth for now.

If I were on the committee, I would push to finish Widgets 1.0 as quickly
as possible, and then put OpenID and OAuth on the list for things to
consider for Widgets 1.1.


             Marcos Caceres                                                
             m>                                                         To 
             Sent by:                  "public-webapps@w3.org"             
             public-webapps-re         <public-webapps@w3.org>             
             quest@w3.org                                               cc 
                                       Dan Brickley <danbri@danbri.org>    
             02/22/2009 07:11          [widgets] OAuth and openID          
             Please respond to                                             

I recently spoke to Dan Brickley who raised concerns wrt to using
OAuth authentication flows and support open ID. I've only had very
limited exposure to these technologies, so I am not the best to
comment about how they would work with widgets, but I'm starting this
thread so we can discuss ideas.

Dan, it would be great if you could outline the problem as you see it?

Kind regards,

Marcos Caceres

(image/gif attachment: graycol.gif)

(image/gif attachment: pic14024.gif)

(image/gif attachment: ecblank.gif)

Received on Monday, 23 February 2009 04:17:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC