Re: [dix] scope question - proxy authentication

Mon, 27 Feb 2006 12:44:43 -0800 

John Merrells wrote:


I do not believe this is in scope for DIX, but I think that DIX should
enable this at a lower level. 

Good to hear


Using dmd0: User instructs Agent (qoop) to perform action (print
photo), Agent requests token (dmd0 fetch), Homesite doesn't
have token so refers user to token generator (flickr), User
authenticates and receives token, which they store at their
Homesite (dmd0 store), User returns to Agent, Agent requests
token (dmd0 fetch), Homesite provides Agent with token, Agent
makes call on data source (flickr) with token as parameter.


Hmmm, this seems a little complicated to me at the moment..


I also wrote up the requirements for "proxy authentication" and called 
it "DIX Agency".  Am interested if others are seeing this use case and 
whether they feel that a draft should be created that extends DIX 
Protocol to provide these capabilities,


Rob


1.  Introduction 


 DIX Agency extends the DIX protocol [DIX].  It allows third party
 "agencies" to act on a user's behalf.  A trivial example is allowing
 a photo printing service to access photographs stored by a separate
 service.

2.  Definitions

 This document uses all the definitions outlined in [DIX] section 2
 and additionally adds the following.

2.1.  Servicesite

 A website or an application that provides services for end users.
 These services are available to other websites or applications via an
 API.

2.2.  Agencysite

 A website or an application that acts on behalf of a user when
 accessing the servicesite.


3.  Overview

 The core of DIX agency is a set of procedures for negotiating access
 to the servicesite by the agencysite.  Without drilling into too many
 details, this is a general description of the DIX Agency protocol.

 The User browses to an Agencysite.  The DIX Protocol is used to establish
 their "Persona URL" with the Agencysite.  The user initiates an
 action that requires the Agencysite to access the Servicesite.  The
 Agencysite determines that it is not authorized to access the
 Servicesite.  The Agencysite then sends a request for access to the
 Servicesite through the User's client.  The Servicesite processes the
 request (possibly also establishing the user's "Persona URL"),
 prompting the User for consent and returns a response, again through
 the User's client.  The Agencysite utilizes this response to access
 the Servicesite.


_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix






















					Reply via email to