Re: On behalf of

On 4 Feb 2011, at 13:13, Nathan wrote:
> 
> And we suppose that each x is ident/acl controlled, then s will need to contact x on behalf of the agent. We currently don't have a solution for this (?)


In the OAuth world, this is called 3-legged [1] OAuth. 

I am not sure of the cryptographic details, but basically this imposes a strong requirement towards specifying the whole authorisation flow
and all of its details for each individual OAuth eco-system. (Thats why a client of the Twitter OAuth Eco-system can not participate in the Google OAuth eco-system without an additional "connector" implementation.) 

When I asked Henry about the issue of 3-legged authorisation, he said that it can probably be solved through providing more elaborate user interfaces, so that all parties can be authorised by the user on his WebID hosting server. 


See Henry's sketch of a WebID enabled photo printing service [2] for an example of how to (maybe) avoid 3-legged authorisation


To summarise my opinion on this: 
* no, WebIDs currently dont explicitly address this use case
* it is fundamentally relevant to the topic of authorisation
* it requires specifying the process / flow / orchestration of the different participating roles (in that authorisation architecture) 
* as such it might be out of scope to define that process here
* however it makes for a very compelling use case




[1] http://wiki.opensocial.org/index.php?title=OAuth_Use_Cases#OpenSocial_and_3-legged_OAuth
[2] http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo

Received on Friday, 4 February 2011 14:21:15 UTC