For what it's worth, the current UMA draft protocol (layered on WRAP for the
moment) does propose a way for a client to express to the authorization server
its desired scope of access, using a JSON format and presuming that the API has
been documented in a resource-oriented way (resource loc-plu
Thanks for your explanation.
Yes, I totally agree with you from the perspective of technology.
Technically, service providers can come up with whatever policies
about scope of authorization, allowed operations, etc.
However, one drawback is that users may get confused when they access
different ser
Hi Gerald,
Your question is a good one — and gets at some of the challenges inherent in
user authorization models. Specifically: when a user grants authorization,
how do you effectively scope access and communicate that to the user? Should
you or the user need to later change the scope of authoriz
@googlegroups.com
To: OAuth
Subject: [oauth] Finer-grained access control in OAuth?
Date: Sat, 20 Mar 2010 10:58:07 -0700 (PDT)
Hi, all
I have been following OAuth work for some time. Also I have
developed some apps using OAuth. One problem I encountered often is
granularity of access. In current spec, after
Hi, all
I have been following OAuth work for some time. Also I have
developed some apps using OAuth. One problem I encountered often is
granularity of access. In current spec, after a user accepts the
access request from a third-party app, the app can access all of
user's data in arbitrary way.