[Standards] XMPP client-centric? [was: Decloaking and Temporary Subscriptions]

Jason Eacott jason at hardlight.com.au
Fri Jan 22 08:23:45 UTC 2010


  Pedro Melo wrote:
> Hi,
> 
> 
> On Fri, Jan 22, 2010 at 5:16 AM, Jason Eacott <jason at hardlight.com.au> wrote:
>> Peter Saint-Andre wrote:
>>> On 1/21/10 6:08 PM, Jason Eacott wrote:
>>>> Oauth is all about impersonating other users, thats all it does!
>>> False. OAuth is about delegating access to protected resources so that
>>> another entity can have restricted authority to perform a given task
>>> (the canonical example is granting a printing service access to your
>>> online photos). OAuth is not about impersonation, it is about delegated
>>> authorization. Those two things are very different.
>> fair enough,
>> but in practice is there really much distinction? granting a printing
>> service access to photos, granting another service limited access to my
>> private xml data store, granting another service to create pubsub nodes with
>> me as the owner, etc.
> 
> Yes, it is totally different. With impersonation you are the user, and
> the services cannot know the difference and therefore you can't limit
> what they can do as you. Impersonation is me using your login and
> password.
> 
> Delegating access implies a different identification that has access
> to your data, and the service can use that different identification
> (and other data, like the oauth access token) to provide you with
> limited access.
> 
> Bye,

sure - and with an oauth like system the target always knows.
I'll admit that in my original suggested approach that the target 
service would not know, but it was a first rough, aimed for discussion, 
and at trying to enable reuse of existing components without 
modification. So suggest workable amendments or a workable alternative.

I sense more than a small amount of nastiness here, and I dont think its 
warranted.
I know I'm not alone in thinking this particular issue is an important 
missing capability of xmpp, but if nobody's interested in the discussion 
then I'll drop it.













More information about the Standards mailing list