Re: [widgets] OAuth and openID

On Mon, Feb 23, 2009 at 3:31 PM, Scott Wilson
<scott.bradley.wilson@gmail.com> wrote:
> I agree that postponing any detailed work may be the most pragmatic answer,
> however oAuth is actually a very important technology for Widgets.

Agreed

> oAuth enables a user of an application such as a widget to link that
> application to an external service, without the application storing, or
> having access to, any user credentials.

Agreed.

> For example, using oAuth, a Photo Widget could get access to a user's Flickr
> account, without the Photo Widget storing the username and credentials of
> the user, just an authorization token that cannot be reused for any other
> user or service. To set up the token, the first time the Photo Widget is
> installed, the user is prompted to go to Flickr, log in there, and agree to
> grant the widget access to the service.
>
> Currently very many widgets store user's account details in widget
> preferences as this is the only means of user access they have that doesn't
> involve the user constantly re-entering account details to get at basic
> functionality. In some environments this may not be a significant risk,
> depending on how preferences are stored and accessed; however in many cases
> the fact that a widget can impersonate the user (logging on as the user,
> rather than with a token) causes issues for trust and auditing.
>
> Because many widgets are small local applications offered for remote
> services that use different user accounts, oAuth is a very important and
> relevant technology. Which is why, for example, it has been a major task in
> the oAuth and OpenSocial/Gadgets community to integrate the technology.
>
> ((Note also that last I heard oAuth was going to IETF for standardisation))

Ok, so the use case is clear. So any thoughts on how we make sure
widgets work with OAuth?


-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 17 March 2009 12:32:42 UTC