[Standards] XMPP client-centric? [was: Decloaking and Temporary Subscriptions]

Jason Eacott jason at hardlight.com.au
Fri Jan 22 05:16:40 UTC 2010




Peter Saint-Andre wrote:
> On 1/21/10 6:08 PM, Jason Eacott wrote:
> 
>> Oauth is all about impersonating other users, thats all it does!
> 
> False. OAuth is about delegating access to protected resources so that
> another entity can have restricted authority to perform a given task
> (the canonical example is granting a printing service access to your
> online photos). OAuth is not about impersonation, it is about delegated
> authorization. Those two things are very different.
> 
> Peter

fair enough,
but in practice is there really much distinction? granting a printing 
service access to photos, granting another service limited access to my 
private xml data store, granting another service to create pubsub nodes 
with me as the owner, etc.
The upshot of it all is that after authority is delegated, the 
authorised proxy is allowed to act on the users behalf for whatever it 
has been given permission to do.
For me I dont see the difference. I didn't state categorically in this 
last post that the proxy can only act in limited ways (if the user 
offers only limited authority to the service), but I dont think it 
changes the fact that at the end of the process a service is allowed to 
act on behalf of a user (various oauth api's make this feel very much 
like simply switching user hats - now I'm user x. do ...).
my point is that if xmpp embraced something like this then components 
and external services could actually use things like the private xml 
storage of any user that offered authority, but instead the only options 
I know for such a service is to either reinvent xml data storage, deploy 
as a client app, or convince its users to handover user credentials.

previous posts in this thread have said there are other options 
available but I don't yet know what they are.






More information about the Standards mailing list