I tried to help Justin off-list, but it would be nice to have a FAQ somewhere that shows developers how to translate from OAuth 1.1 to OAuth 2.0, even just conceptually (as in, "they got rid of the legs, how do I do two-legged auth in OAuth 2.0?!?").
On 8/26/11 5:04 PM, Justin Karneges wrote: > Hi folks, > > I currently use a proprietary token approach to provide authentication to a > browser widget, and I wonder if OAuth could be used to replace it. > > Here's how the system currently works: > - website supports authenticated users (happens via username/password form) > - website and widget provider have a shared secret > - the website serves a page to the browser, containing an embed of a remote > widget as well as a token that asserts the currently logged in user. the > widget takes this token and performs an ajax call to the widget provider > server. behold, the user is now logged in to the widget. > > In trying to organize this into OAuth terms and roles, here is what I come up > with: > - resource owner: the user > - resource server: widget provider (where the resource is generically "the > ability to utilize the widget") > - client: the webpage running in the browser > - authorization server: the website > > The website essentially serves up the client application and token in one > shot, so the client never has to explicitly ask for a token. However, the > client would then take that token and use it to access a service. The > website > and widget provider would share key material such that token validation is > possible, but it's important to note that the two services are not owned and > operated by the same people. > > Does this seem right? Normally when I think of OAuth, I think of a user > giving a third-party service access to his personal stuff, but in the above > flow > I'm proposing that OAuth be used so that the user gains access to his own > stuff. In fact, there would be no way to access his stuff other than this > approach, so it's not just about optional third-party access. It's the > direct > and only access. > > Would love confirmation that OAuth is appropriate for my needs, and if I have > the roles right in that case. > > Thanks, > Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
