[OSLC-CM] How many tools support (or plan to) OAuth?
Olivier Berger
olivier.berger at it-sudparis.eu
Thu Nov 26 07:29:55 EST 2009
Hi.
Le mercredi 25 novembre 2009 à 08:58 -0500, Steve K Speicher a écrit :
> Since the terms "authorization" and "authentication" are overloaded, I
> think it would be best instead of me trying to describe OAuth here
> that I defer to the http://oauth.netsite for resources that describe
> it.
>
> I did not intend to state a subset of OAuth or misrepresent it by
> saying "cross-system authentication" as it is not a single-sign on
> solution. It provides a way to authenticate users, then leverage that
> to authorize cross-server access.
You're right... reading back your initial message, the term
authentication had triggered some doubts, but I hadn't really noticed
the "cross-system auth".
OAuth is really about tokens granted by apps to other apps after
approval by users, and not a *users* auth mechanism nor a SSO indeed.
Thanks for the clarification. I think we share the same vision of
OAuth's role in the protocol.
What's left to define (maybe ?) is the semantics of such
privileges/permissions that the servers would support with OAuth maybe ?
Would it be part of the OSLC-CM standard to explicitely state which
permissions may be granted to clients through OAuth ?
For instance I can imagine a use case for a system where a user could be
prompted to allow delegation of the right to create bugs in a bugtracker
to a continuous integration tool for a specific "project" or "category"
only, but not to mark bugs as resolved.
The "right to create a bug in a particular project" or "right to mark a
bug as resolved" would then be the kind of permissions granted to client
tools through OAuth ?
That's a bit different than being allowed to access a particular URL
through POST (as may be easily done with a .htaccess for instance).
How "far" should OSLC-CM go in this respect in terms of
standardization ?
Best regards,
--
Olivier BERGER <olivier.berger at it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
More information about the Oslc-Cm
mailing list