Re: [widgets] OAuth and openID from Jon Ferraiolo on 2009-02-23 (public-webapps@w3.org from January to March 2009)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Sun, 22 Feb 2009 20:15:03 -0800
To: marcosc@opera.com
Cc: Dan Brickley <danbri@danbri.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-webapps-request@w3.org
Message-ID: <OF173FE164.15E7169A-ON88257566.00147A86-88257566.00175A1C@us.ibm.com>

Hi Marcos,
I'll take a crack at this.

OpenID is a technology that authenticates your identity. The cool thing
about OpenID is that multiple web sites can share the same identity system,
which makes it so that there can be a single marcos@myopenidwhatever.com
instead of dozens of separate IDs for you (marcos@google.com,
marcos@yahoo.com, etc.). A "competitor" to OpenID is a login/password
screen served by a single web site. With W3C Widgets, you might use OpenID
if you have to establish an identity before a widget can be installed; for
example, you might have to login to the Apple AppStore (or some other
store) before you downloaded a widget from there, and maybe the store
supports OpenID. After installation, while a widget runs, the widget (or
its server) might periodically need to ask you to enter a login/password to
confirm who you are. The login/password software might use OpenID. This
might be where Dan sees a problem - OpenID requires browser redirects to do
its magic. You might need a list of allowed domains (i.e., at least 2) to
support OpenID for this sort of repeated server login.

OAuth is a technology that authorizes someone to do something. For example,
an OAuth server might authorize you to cast a vote in an election.
Regarding authorization, in the most common case of W3C Widgets, you would
most likely use something like an OMTP/BONDI policy file or some sort of
platform-specific (maybe implicit) policy to control authorization instead
of OAuth. My thinking is that you can ignore OAuth for now.

If I were on the committee, I would push to finish Widgets 1.0 as quickly
as possible, and then put OpenID and OAuth on the list for things to
consider for Widgets 1.1.

Jon





                                                                           
             Marcos Caceres                                                
             <marcosc@opera.co                                             
             m>                                                         To 
             Sent by:                  "public-webapps@w3.org"             
             public-webapps-re         <public-webapps@w3.org>             
             quest@w3.org                                               cc 
                                       Dan Brickley <danbri@danbri.org>    
                                                                   Subject 
             02/22/2009 07:11          [widgets] OAuth and openID          
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             marcosc@opera.com                                             
                                                                           
                                                                           




Hi,
I recently spoke to Dan Brickley who raised concerns wrt to using
OAuth authentication flows and support open ID. I've only had very
limited exposure to these technologies, so I am not the best to
comment about how they would work with widgets, but I'm starting this
thread so we can discuss ideas.

Dan, it would be great if you could outline the problem as you see it?

Kind regards,
Marcos

--
Marcos Caceres
http://datadriven.com.au

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic14024.gif
image/gif attachment: ecblank.gif

Received on Monday, 23 February 2009 04:17:11 UTC