Re: [widgets] OAuth and openID

On 23 Feb 2009, at 05:15, Jon Ferraiolo wrote:

> OAuth is a technology that authorizes someone to do something. For  
> example, an OAuth server might authorize you to cast a vote in an  
> election. Regarding authorization, in the most common case of W3C  
> Widgets, you would most likely use something like an OMTP/BONDI  
> policy file or some sort of platform-specific (maybe implicit)  
> policy to control authorization instead of OAuth. My thinking is  
> that you can ignore OAuth for now.

I think you're conflating policy and protocol here -- OAuth is a way  
to share an authorization token (and really not much more); it doesn't  
tell you how to write your authorization policies.

> If I were on the committee, I would push to finish Widgets 1.0 as  
> quickly as possible, and then put OpenID and OAuth on the list for  
> things to consider for Widgets 1.1.


OAuth seems most relevant to XMLHttpRequest level 2, and much less  
relevant to the widget specs.

Received on Monday, 23 February 2009 11:02:30 UTC