Hi, Praba I am also thinking on this subject, and published a draft on it. http://tools.ietf.org/id/draft-zhou-oauth-owner-auth-00.txt I'd like to have your opinion.
Prabath Siriwardena <prab...@wso2.com> 发件人: oauth-boun...@ietf.org 2012-10-08 08:08 收件人 Eve Maler <e...@xmlgrrl.com> 抄送 oauth@ietf.org 主题 Re: [OAUTH-WG] Resource owner initiated OAuth delegation Hi Eve, Thanks for pointers.. I've been following the work done in UMA.. Sure.. will join the webinar... BTW .. I am not quite sure UMA addresses my use case. Even in the case of UMA it's client initiated or requestor initiated... Please correct me if I am wrong... but in OAuth specification there is no restrictions to identify the 'client' as a person, organization or as him self.. In my view - this is an extended grant type..which has two phases.. 1. Resource owner grants access to a selected a Client 2. Client requests the already available access token for him from the Authorization Server.[just like passing the refresh_token] WDYT ? Thanks & regards, -Prabath On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler <e...@xmlgrrl.com> wrote: Hi Prabath, As far as I know, OAuth itself generally isn't used to let one human resource owner delegate access to a different human resource owner. However, UMA (which leverages OAuth) does strive to solve exactly this use case, among other similar ones; we call this one "person-to-person sharing", and you can read more about it here: http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1 The UMA flow at run time still ends up being effectively "client-initiated" (we would say requesting-party-initiated, using a requester app) because the original resource owner (we call it an authorizing party) is no longer around by then. The authz party would set up policies at some point before going on vacation, and these polices would enable the requesting party to "qualify in" for access at run time, by supplying identity claims that get used in an authorization check by the authz server (authz manager). We'll be walking through UMA flows and demoing an extensive use case at a webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg Hope this helps, Eve On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena <prab...@wso2.com> wrote: > Hi folks, > > I would like to know your thoughts on the $subject.. > > For me it looks like a concrete use case where OAuth conceptually does > address - but protocol does not well defined.. > > Please find [1] for further details... > > [1]: http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
