[cap-talk] OAuth vs. CapDoc contrast

Ben Laurie benl at google.com
Sat Sep 29 10:32:59 EDT 2007 

On 9/29/07, Karp, Alan H <alan.karp at hp.com> wrote:
> Jed wrote:
> >
> > Thanks for taking time to write Blaine!
> >
> I had misunderstood some things about OAuth until I read Jed's
> discussion of Blaine's comments.  In particular, the use model is quite
> different from what I had thought it was because I hadn't read all the
> way to the appendices.  The one sentence in the abstract didn't make it
> clear that the user initiates the request made by the consumer.
> Clearly, Oauth is not the general purpose authorization mechanism I
> thought is was.
>
> I am still confused by some things.
>
> 1. Much of the protocol seems to exist to protect the tokens and secrets
> when they are used over HTTP.  However, several sections in Appendix B
> recommend using HTTPS.  Why not just use HTTPS all the time and simplify
> the protocol?

Many service providers are reluctant to use HTTPS for all their
traffic because of the load it imposes.

> 2. Appendix B.9 implies that the authorization token grants the consumer
> access to all the user's protected resources, not just the one the user
> authorized.  Is this choice just an optimization?

It should not imply that. The token should grant consumer only to what
the user authorised.

> 3. Can an authorization token be delegated?  For example,
> printer.example.com prints only text and farms out work on photos to
> images.example.org, which never heard of photos.example.net.  Does
> printer.example.com have to read the bits and forward them, or is there
> a way for images.example.org to read them directly from
> photos.example.net.  If so, can images.example.org further delegate the
> authorization?

No, but once OAuth is baked, I do plan to work on a delegation
standard. Are you interested in helping?

> 4. Finally, I'll re-ask Jed's question.  Why not just use webkeys?  The
> user can go to her account at photos.example.net and be presented with a
> "Delegate" button for each resource.  Pressing that button returns a
> URL, which can be pasted into a form field at photos.example.net.  That
> URL can hold the relevant information granting access to the one
> resource being designated and can be revoked after a single use.

Since I am also generally a fan of capabilities, I tend to wonder this, too :-)

One answer is that then you would not be able to delegate.

More information about the cap-talk mailing list