[sldev] [AWG] OGP Authentication Draft 3

[Escort DeFarge]

Food for thought indeed.

I guess my take was that OAuth could equally well start the chain of 
capability from an (at least partially standardized) http login. I 
hadn't really expected it to generalize out to object-level perms ...and 
it was my understanding that even Open ID relies on a TTP.

Thanks for the reply.

/esc


Meadhbh Hamrick (Infinity) wrote:
> but seriously. OAuth is a step in the right direction, but...
>
> a. it depends on HTTP. we think linking application level objects 
> (like application object access control metadata) with a specific 
> transport is a bad idea.
> b. as far as i can tell, it doesn't have a resource for managing 
> distributed access-control tokens. there seems to be an assumption 
> that all access control will be managed by the same administrative 
> party. that being said... there appears to be nothing in the spec to 
> PREVENT you from adding this feature, and I've pinged the OAuth peeps 
> from time to time about it, so who knows.
> c. OAuth is for securely transporting object access control metadata, 
> OGP Authentication is for authenticating an end user to a service 
> cloud. OGP Auth is actually a little closer to OpenID than to OAuth. 
> But i think you're asking... why not return an OAuth compliant PDU as 
> a result of successful OGP Authentication. hmm... no reason it can't 
> be done from a protocol perspective, but we would have to get with the 
> OAuth people and get them to fix problems a and b above before we 
> would likely deploy something like that.
>
> -cheers
> -meadhbh