[Standards] OpenID for XMPP (Was: Authorization over HTTP)

anders conbere aconbere at gmail.com
Fri Nov 9 16:51:17 UTC 2007


On Nov 9, 2007 8:20 AM, Tomasz Sterna <tomek at xiaoka.com> wrote:
> Dnia 09-11-2007, Pt o godzinie 07:39 -0800, anders conbere pisze:
> > This is exactly why I'm talking about, and why openID is not a good
> > solution here. OpenID is fantastic at "prooving you're the user you
> > say you are" this means that we could safely /Authenticate/ with a
> > jabber server. but we want to do more than that, we want to grant a
> > client continued access to those restricted api's (in this case roster
> > add / remove / request and maybe message sending).
>
> How very untrue...
> http://openid.net/specs/openid-attribute-exchange-1_0-07.html
>
> This is the protocol my OpenID gives my e-mail addresses, birthdate,
> gender, avatar, PO address, my JIDs and other IM IDs, and many more, to
> the requesting parties.
>
> During first login to the site with OpenID I'm informed which pieces of
> information the external party requested, and I'm able to choose which I
> want to give, and the period that the acceptance is valid (one-time,
> until some date or forever).

I'm not seeing in that spec the tools necessary for authorization,
which is why I would suspect many of the same people who authored that
spec went on to author the OAuth spec

http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/5/spec.html

That is a spec specifically for /authorizing/ client applications to
use restricted api's

I'm not following how attribute exchange is particularly useful for
granting a client access to api's (perhaps a set of attributes yes,
but at least I'm not seeing it provision for resources).

~ Anders

>
>
> --
>   /\_./o__ Tomasz Sterna
>  (/^/(_^^'  Xiaoka.com
> ._.(_.)_  XMPP: smoku at xiaoka.com
>
>



More information about the Standards mailing list