IETF Logo Mail Archive

Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a

Brian Eaton <beaton@google.com> Fri, 19 March 2010 22:24 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBA263A6808 for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 15:24:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.364
X-Spam-Level:
X-Spam-Status: No, score=-105.364 tagged_above=-999 required=5 tests=[AWL=-0.517, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmcv+PFPWa7I for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 15:24:48 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 107B33A6A80 for <oauth@ietf.org>; Fri, 19 Mar 2010 15:24:46 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [10.3.21.1]) by smtp-out.google.com with ESMTP id o2JMOuaq009504 for <oauth@ietf.org>; Fri, 19 Mar 2010 15:24:56 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269037496; bh=wBNUCO8qg+H8wYIs+Rwu8ESIiNY=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=j1DG+OTmtinrVk2IcKZvhbGph2lVQdruVkTr+K6HYxda5h8fhHpDRVU4uEyiq9eY7 yj8crgWM+Jr6PvWXvW9kg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=V02Re6bObkU0ywjDTvw1K3TTVKPrxJYfSY9aHD5oX0+5iP7H73i2MJ9SdLQT+y4yv Pd4VwHyrQGCuTYtKIEFyQ==
Received: from vws12 (vws12.prod.google.com [10.241.21.140]) by hpaq1.eem.corp.google.com with ESMTP id o2JMOsID022788 for <oauth@ietf.org>; Fri, 19 Mar 2010 23:24:55 +0100
Received: by vws12 with SMTP id 12so1459600vws.1 for <oauth@ietf.org>; Fri, 19 Mar 2010 15:24:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.48.22 with SMTP id p22mr404014vcf.93.1269037494138; Fri, 19 Mar 2010 15:24:54 -0700 (PDT)
In-Reply-To: <68f4a0e81003191328r4912ddb0uc37c4bc65f5fb7e4@mail.gmail.com>
References: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com> <68f4a0e81003191052m7ab778d6n330e58bd58b9f924@mail.gmail.com> <daf5b9571003191144j74ea597cgf06ef3ba449cecef@mail.gmail.com> <daf5b9571003191145v5ee86c9bw324ceb9366f1c6bb@mail.gmail.com> <68f4a0e81003191328r4912ddb0uc37c4bc65f5fb7e4@mail.gmail.com>
Date: Fri, 19 Mar 2010 15:24:54 -0700
Message-ID: <daf5b9571003191524s6b5dfdf0g2a5082f7e9370429@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Ethan Jewett <esjewett@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 22:24:50 -0000

On Fri, Mar 19, 2010 at 1:28 PM, Ethan Jewett <esjewett@gmail.com> wrote:
> I don't think so. In the OpenSocial case, the only "OAuth Consumer"
> per se is the OpenSocial container. The gadget is not making signed
> requests and is completely trusting the container to represent it
> properly to the OAuth Provider. In other words, from an OAuth request
> flow perspective, the gadget is pretty much irrelevant.

I think the opensocial use cases are interesting for two reasons.

1) They use signed identity claims.
    MS has done this with SWT.
    Lots of people have done this with OpenID and SAML.
    UMA is using signed tokens with identity claims.

2) They have trusted containers that do OAuth on behalf of applications.
    This is a powerful security tool - the gadgets get short-lived
access to data, the containers hold the long-lived secrets.  WRAP also
lets you do this.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email