[Standards] XMPP client-centric? [was: Decloaking and Temporary Subscriptions]

Pedro Melo melo at simplicidade.org
Fri Jan 22 08:06:31 UTC 2010


On Fri, Jan 22, 2010 at 5:16 AM, Jason Eacott <jason at hardlight.com.au> wrote:
> Peter Saint-Andre wrote:
>> On 1/21/10 6:08 PM, Jason Eacott wrote:
>>> Oauth is all about impersonating other users, thats all it does!
>> False. OAuth is about delegating access to protected resources so that
>> another entity can have restricted authority to perform a given task
>> (the canonical example is granting a printing service access to your
>> online photos). OAuth is not about impersonation, it is about delegated
>> authorization. Those two things are very different.
> fair enough,
> but in practice is there really much distinction? granting a printing
> service access to photos, granting another service limited access to my
> private xml data store, granting another service to create pubsub nodes with
> me as the owner, etc.

Yes, it is totally different. With impersonation you are the user, and
the services cannot know the difference and therefore you can't limit
what they can do as you. Impersonation is me using your login and

Delegating access implies a different identification that has access
to your data, and the service can use that different identification
(and other data, like the oauth access token) to provide you with
limited access.

Pedro Melo
xmpp:melo at simplicidade.org
mailto:melo at simplicidade.org

More information about the Standards mailing list