W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] OAuth and openID

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 17 Mar 2009 13:32:02 +0100
Message-ID: <b21a10670903170532x745a1921h5438d4e4d3f338e7@mail.gmail.com>
To: Scott Wilson <scott.bradley.wilson@gmail.com>
Cc: Thomas Roessler <tlr@w3.org>, Jon Ferraiolo <jferrai@us.ibm.com>, Dan Brickley <danbri@danbri.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-webapps-request@w3.org
On Mon, Feb 23, 2009 at 3:31 PM, Scott Wilson
<scott.bradley.wilson@gmail.com> wrote:
> I agree that postponing any detailed work may be the most pragmatic answer,
> however oAuth is actually a very important technology for Widgets.


> oAuth enables a user of an application such as a widget to link that
> application to an external service, without the application storing, or
> having access to, any user credentials.


> For example, using oAuth, a Photo Widget could get access to a user's Flickr
> account, without the Photo Widget storing the username and credentials of
> the user, just an authorization token that cannot be reused for any other
> user or service. To set up the token, the first time the Photo Widget is
> installed, the user is prompted to go to Flickr, log in there, and agree to
> grant the widget access to the service.
> Currently very many widgets store user's account details in widget
> preferences as this is the only means of user access they have that doesn't
> involve the user constantly re-entering account details to get at basic
> functionality. In some environments this may not be a significant risk,
> depending on how preferences are stored and accessed; however in many cases
> the fact that a widget can impersonate the user (logging on as the user,
> rather than with a token) causes issues for trust and auditing.
> Because many widgets are small local applications offered for remote
> services that use different user accounts, oAuth is a very important and
> relevant technology. Which is why, for example, it has been a major task in
> the oAuth and OpenSocial/Gadgets community to integrate the technology.
> ((Note also that last I heard oAuth was going to IETF for standardisation))

Ok, so the use case is clear. So any thoughts on how we make sure
widgets work with OAuth?

Marcos Caceres
Received on Tuesday, 17 March 2009 12:32:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:24 UTC