[oslc-core] OAuth and delegated UIs

Steve K Speicher sspeiche at us.ibm.com
Mon Jan 10 14:02:29 EST 2011 

I guess I don't fully understand, as OAuth is about "enabling delegated 
access to protected resources" [1].
If an application has an access token then it would seem that it should 
use it with its request.  Given the browser context and the delegated UI 
resource, the request for this resource is done by creating an iframe and 
setting the src attribute to the delegated UI URL.

I'm not a strong advocate for this, I'm just arguing a position to make 
sure we are not putting constraints on some resource "types" and how 
certain class of clients access them.  Also there appears to be some spec 
[2] to support this in OAuth already.  An implementer came to me with this 
as an approach as well.

[1] - http://tools.ietf.org/html/rfc5849
[2] - http://tools.ietf.org/html/rfc5849#section-3.5.3

Thanks,
Steve Speicher | IBM Rational Software | (919) 254-0645


Jim des Rivieres <Jim_des_Rivieres at ca.ibm.com> wrote on 01/06/2011 
04:14:11 PM:

> From: Jim des Rivieres <Jim_des_Rivieres at ca.ibm.com>
> To: Steve K Speicher/Raleigh/IBM at IBMUS
> Cc: oslc-core at open-services.net, Ed Gentry/Portland/IBM at IBMUS
> Date: 01/06/2011 04:14 PM
> Subject: Re: [oslc-core] OAuth and delegated UIs
> 
> Since you mention the delegated UI sections, it bears noting that 
passing 
> OAuth parameters to request URLs (whether by header, body, or embedded 
in 
> the URL) does not make sense for web page URLs meant to be displayed in 
a 
> web browser; e.g., picker URLs. OAuth 1.0 is not about authenticating a 
> user in a browser talking to a server, but about authorizing servers 
> talking between themselves.
> 
> Regards,
> Jim des Rivieres
> 
> 
> 
> From:
> Steve K Speicher <sspeiche at us.ibm.com>
> To:
> oslc-core at open-services.net
> Date:
> 01/06/2011 02:44 PM
> Subject:
> [oslc-core] OAuth and delegated UIs
> Sent by:
> oslc-core-bounces at open-services.net
> 
> 
> 
> It would be desirable if OSLC Core spec were to recommend (SHOULD) that 
> service providers be prepared to handle OAuth parameters embedded in the 

> request URI [1]
> If a provider of the delegated UIs didn't support this, it could just 
> ignore it.   This would provide some improvements to usability where 
> setting up single solutions may not be available.
> 
> I propose that we add this to the delegated UI sections (or maybe just 
the 
> 
> OAuth section)?
> 
> [1] - http://tools.ietf.org/html/rfc5849#section-3.5.3
> 
> Thanks,
> Steve Speicher | IBM Rational Software | (919) 254-0645
> 
> 
> _______________________________________________
> Oslc-Core mailing list
> Oslc-Core at open-services.net
> http://open-services.net/mailman/listinfo/oslc-core_open-services.net
> 
> 
>

More information about the Oslc-Core mailing list