[sldev] [AWG] OGP Authentication Draft 3
Meadhbh Hamrick (Infinity)
infinity at lindenlab.com
Tue Jan 13 10:06:00 PST 2009
but seriously. OAuth is a step in the right direction, but...
a. it depends on HTTP. we think linking application level objects
(like application object access control metadata) with a specific
transport is a bad idea.
b. as far as i can tell, it doesn't have a resource for managing
distributed access-control tokens. there seems to be an assumption
that all access control will be managed by the same administrative
party. that being said... there appears to be nothing in the spec to
PREVENT you from adding this feature, and I've pinged the OAuth peeps
from time to time about it, so who knows.
c. OAuth is for securely transporting object access control metadata,
OGP Authentication is for authenticating an end user to a service
cloud. OGP Auth is actually a little closer to OpenID than to OAuth.
But i think you're asking... why not return an OAuth compliant PDU as
a result of successful OGP Authentication. hmm... no reason it can't
be done from a protocol perspective, but we would have to get with the
OAuth people and get them to fix problems a and b above before we
would likely deploy something like that.
On Jan 13, 2009, at 5:00 AM, Escort DeFarge wrote:
> Having read...
> I'm not really understanding the advantage this has over...
> ...particularly since capabilities are being introduced with OGP?
> Policies and (un)subscribe information available here:
> Please read the policies before posting to keep unmoderated posting
More information about the SLDev