W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] OAuth and openID

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 17 Mar 2009 13:32:02 +0100
Message-ID: <b21a10670903170532x745a1921h5438d4e4d3f338e7@mail.gmail.com>
To: Scott Wilson <scott.bradley.wilson@gmail.com>
Cc: Thomas Roessler <tlr@w3.org>, Jon Ferraiolo <jferrai@us.ibm.com>, Dan Brickley <danbri@danbri.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-webapps-request@w3.org
On Mon, Feb 23, 2009 at 3:31 PM, Scott Wilson
<scott.bradley.wilson@gmail.com> wrote:
> I agree that postponing any detailed work may be the most pragmatic answer,
> however oAuth is actually a very important technology for Widgets.

Agreed

> oAuth enables a user of an application such as a widget to link that
> application to an external service, without the application storing, or
> having access to, any user credentials.

Agreed.

> For example, using oAuth, a Photo Widget could get access to a user's Flickr
> account, without the Photo Widget storing the username and credentials of
> the user, just an authorization token that cannot be reused for any other
> user or service. To set up the token, the first time the Photo Widget is
> installed, the user is prompted to go to Flickr, log in there, and agree to
> grant the widget access to the service.
>
> Currently very many widgets store user's account details in widget
> preferences as this is the only means of user access they have that doesn't
> involve the user constantly re-entering account details to get at basic
> functionality. In some environments this may not be a significant risk,
> depending on how preferences are stored and accessed; however in many cases
> the fact that a widget can impersonate the user (logging on as the user,
> rather than with a token) causes issues for trust and auditing.
>
> Because many widgets are small local applications offered for remote
> services that use different user accounts, oAuth is a very important and
> relevant technology. Which is why, for example, it has been a major task in
> the oAuth and OpenSocial/Gadgets community to integrate the technology.
>
> ((Note also that last I heard oAuth was going to IETF for standardisation))

Ok, so the use case is clear. So any thoughts on how we make sure
widgets work with OAuth?


-- 
Marcos Caceres
http://datadriven.com.au
Received on Tuesday, 17 March 2009 12:32:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT