Here is where I see the differences...
#2 forces "person B" to go through an authentication event at
photos.example.com
while #3 allows the client "person B" is using to get the access token
at time of authentication to the client.
So, for #2 "person B" will likely have to do 2 authentication events (1
to the client and 1 to photos.example.com). While with #3, "person B"
only has to do 1 authentication event (to the client).
Thanks,
George
On 6/8/10 11:32 AM, Brian Eaton wrote:
On Tue, Jun 8, 2010 at 7:17 AM, George Fletcher<gffle...@aol.com> >
2. Use OpenID and force Person B to "sign in" to photos.example.com
(effectively establishing a relationship with photos.example.com that they
might not want)
3. Have photos.example.com be able to accept a token from person B's
authorization service saying this is person B when accessing the protected
resource.
These two options seem equivalent to me.
They certainly bring up the same user experience challenges.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
