If you check out the recording of the UMA webinar from last week, you'll see a demo (starting at about the 33:00 mark) that shows individual user data being accessed according to ACL-type authorization policy settings, with the resource owner able to set these policies and then not have to be online when the requester shows up:
http://kantarainitiative.org/confluence/display/uma/Home (As an aside, the UMA spec also provides an extended example that illustrates how scopes can be made interoperable enough to protect photos individually. See http://tools.ietf.org/html/draft-hardjono-oauth-umacore-02, especially Sections 1.4 and 10.) Eve On 19 Dec 2011, at 10:02 AM, George Fletcher wrote: > I would also recommend looking at User-Managed-Access which provides this > kind of layer on top of OAuth2. > > http://kantarainitiative.org/confluence/display/uma/UMA+Explained > > Thanks, > George > > On 12/18/11 12:05 PM, Melvin Carvalho wrote: >> Quick question. I was wondering if OAuth 2.0 can work with access >> control lists. >> >> For example there is a protected resource (e.g. a photo), and I want >> to set it up so that a two or more users (for example a group of >> friends) U1, U2 ... Un will be able to access it after authenticating. >> >> Is this kind of flow possibly with OAuth 2.0, and if so whose >> responsibility is it to maintain the list of agents than can access >> the resource? >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
