On Nov 9, 2007 8:20 AM, Tomasz Sterna <[EMAIL PROTECTED]> wrote: > Dnia 09-11-2007, Pt o godzinie 07:39 -0800, anders conbere pisze: > > This is exactly why I'm talking about, and why openID is not a good > > solution here. OpenID is fantastic at "prooving you're the user you > > say you are" this means that we could safely /Authenticate/ with a > > jabber server. but we want to do more than that, we want to grant a > > client continued access to those restricted api's (in this case roster > > add / remove / request and maybe message sending). > > How very untrue... > http://openid.net/specs/openid-attribute-exchange-1_0-07.html > > This is the protocol my OpenID gives my e-mail addresses, birthdate, > gender, avatar, PO address, my JIDs and other IM IDs, and many more, to > the requesting parties. > > During first login to the site with OpenID I'm informed which pieces of > information the external party requested, and I'm able to choose which I > want to give, and the period that the acceptance is valid (one-time, > until some date or forever).
I'm not seeing in that spec the tools necessary for authorization, which is why I would suspect many of the same people who authored that spec went on to author the OAuth spec http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/5/spec.html That is a spec specifically for /authorizing/ client applications to use restricted api's I'm not following how attribute exchange is particularly useful for granting a client access to api's (perhaps a set of attributes yes, but at least I'm not seeing it provision for resources). ~ Anders > > > -- > /\_./o__ Tomasz Sterna > (/^/(_^^' Xiaoka.com > ._.(_.)_ XMPP: [EMAIL PROTECTED] > >