- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Sun, 22 Feb 2009 20:15:03 -0800
- To: marcosc@opera.com
- Cc: Dan Brickley <danbri@danbri.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-webapps-request@w3.org
- Message-ID: <OF173FE164.15E7169A-ON88257566.00147A86-88257566.00175A1C@us.ibm.com>
Hi Marcos, I'll take a crack at this. OpenID is a technology that authenticates your identity. The cool thing about OpenID is that multiple web sites can share the same identity system, which makes it so that there can be a single marcos@myopenidwhatever.com instead of dozens of separate IDs for you (marcos@google.com, marcos@yahoo.com, etc.). A "competitor" to OpenID is a login/password screen served by a single web site. With W3C Widgets, you might use OpenID if you have to establish an identity before a widget can be installed; for example, you might have to login to the Apple AppStore (or some other store) before you downloaded a widget from there, and maybe the store supports OpenID. After installation, while a widget runs, the widget (or its server) might periodically need to ask you to enter a login/password to confirm who you are. The login/password software might use OpenID. This might be where Dan sees a problem - OpenID requires browser redirects to do its magic. You might need a list of allowed domains (i.e., at least 2) to support OpenID for this sort of repeated server login. OAuth is a technology that authorizes someone to do something. For example, an OAuth server might authorize you to cast a vote in an election. Regarding authorization, in the most common case of W3C Widgets, you would most likely use something like an OMTP/BONDI policy file or some sort of platform-specific (maybe implicit) policy to control authorization instead of OAuth. My thinking is that you can ignore OAuth for now. If I were on the committee, I would push to finish Widgets 1.0 as quickly as possible, and then put OpenID and OAuth on the list for things to consider for Widgets 1.1. Jon Marcos Caceres <marcosc@opera.co m> To Sent by: "public-webapps@w3.org" public-webapps-re <public-webapps@w3.org> quest@w3.org cc Dan Brickley <danbri@danbri.org> Subject 02/22/2009 07:11 [widgets] OAuth and openID AM Please respond to marcosc@opera.com Hi, I recently spoke to Dan Brickley who raised concerns wrt to using OAuth authentication flows and support open ID. I've only had very limited exposure to these technologies, so I am not the best to comment about how they would work with widgets, but I'm starting this thread so we can discuss ideas. Dan, it would be great if you could outline the problem as you see it? Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
Attachments
- image/gif attachment: graycol.gif
- image/gif attachment: pic14024.gif
- image/gif attachment: ecblank.gif
Received on Monday, 23 February 2009 04:17:11 UTC