Re: OAuth

Tue, 12 Feb 2008 09:12:57 -0800
The 3 second summary: OAuth lets you delegate access to a service which does things on your behalf, without needing to give up your username and password. 


The service which does things on your behalf is today typically another 
server.  However, there is no reason why the service couldn't be a 
script running in a web page.  Well, the one reason it's problematic 
today is that we don't have AC4CSR.  Given AC4CSR, a script running in 
the context of a web page could obtain permission from the user 
(represented by a token and token secret pair) and prove ownership of 
the token by signing requests it makes to a 3rd party site.



For a real world example today, look at Flickr.  (OAuth is a superset of 
Flickr auth.)  A script sends a user off to Flickr to get their 
authorization to retrieve their private pictures; Flickr returns a token 
which grants access to the script; and the script then retrieves the 
pictures.



Even in the case where there are two servers involved, it would be 
useful to allow for AC4CSR.  If all the data is ultimately going to be 
processed and presented by a script, it may be far more efficient to 
have server A sign the request and return it back to the script to issue 
against server B, than it is for server A to proxy the entire HTTP 
transaction.


John

Jonas Sicking wrote:

Hi Folks (and John Panzer in particular),


OAuth has been brought up a couple of times in this mailing list 
lately, though every time very deep in a thread on some related subject.



I'd like to understand what the use case of using OAuth together with 
something like cross-site XMLHttpRequest. From my, very brief, 
understanding of OAuth it's mostly about server-to-server 
communication. Basically creating a way to let one server fetch a 
users private data from another server. Like letting printing.com 
fetch my private images from flicr.com. After getting my consent of 
course.



However I don't see how that would work with something lie cross-site 
XMLHttpRequest, where there basically is only the browser and one 
server involved.



So would you mind explaining to someone who doesn't really know the 
bells and whistles of OAuth exactly what you want to do. Please be as 
detailed as possible.


Best Regards,
Jonas Sicking

















    

  • OAuth Jonas Sicking
    • 

    • 

    • Re: OAuth John Panzer
      • 

    










					Reply via email to