On Nov 9, 2007 8:20 AM, Tomasz Sterna [EMAIL PROTECTED] wrote:
Dnia 09-11-2007, Pt o godzinie 07:39 -0800, anders conbere pisze:
This is exactly why I'm talking about, and why openID is not a good
solution here. OpenID is fantastic at prooving you're the user you
say you are this means that we could safely /Authenticate/ with a
jabber server. but we want to do more than that, we want to grant a
client continued access to those restricted api's (in this case roster
add / remove / request and maybe message sending).
How very untrue...
http://openid.net/specs/openid-attribute-exchange-1_0-07.html
This is the protocol my OpenID gives my e-mail addresses, birthdate,
gender, avatar, PO address, my JIDs and other IM IDs, and many more, to
the requesting parties.
During first login to the site with OpenID I'm informed which pieces of
information the external party requested, and I'm able to choose which I
want to give, and the period that the acceptance is valid (one-time,
until some date or forever).
I'm not seeing in that spec the tools necessary for authorization,
which is why I would suspect many of the same people who authored that
spec went on to author the OAuth spec
http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/5/spec.html
That is a spec specifically for /authorizing/ client applications to
use restricted api's
I'm not following how attribute exchange is particularly useful for
granting a client access to api's (perhaps a set of attributes yes,
but at least I'm not seeing it provision for resources).
~ Anders
--
/\_./o__ Tomasz Sterna
(/^/(_^^' Xiaoka.com
._.(_.)_ XMPP: [EMAIL PROTECTED]
