Hi people, I have to apologize first, I am by no means an expert (or even any good) web developer. Still I read some of the protocol descriptions and here I am *seriously* baffled.
Suppose we have "a server", "a client", and "a third party". As long as a third party is not involved, the client (or, precisely, the web browser application that runs on hardware that is under the user's control) interects directly with the server, and OpenID protocol is used. When a third party (usually another web server) needs to get some limited access to the server on behalf of the client, this third party is not fully trusted by either the client or the server. OAuth protocol is used here in place of OpenID in order to (1) not to share the client's credentials with the third party, and (2) to restrict the third party to a limited subset of operations/data that the client can perform/access on the server. Now consider a desktop or mobile application. It is software that runs on a device that is controlled by the user, and trust in it is no different from the trust in trust in a web browser application! It is no "incomplete trust" issue, no desire to conceal the user's credentials from the app, no reason to limit its access to the operations/data on the server. In other words, it calls for the use of OpenID protocol rather than OAuth. OAuth is designed for completely different circumstances than the desktop/mobile application. So, why people try to use OAuth when OpenID is seemingly a better match? What am I missing? Thanks, Eugene
signature.asc
Description: OpenPGP digital signature
_______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
