[OAUTH-WG] multi-level delegation

["Vrancken Bart bv" <Bart.bv.Vrancken@alcatel-lucent.com>]

Hi folks,

An example of a case of multi-level delegation, formerly known as
"four-legged auth" is described in the ID
http://tools.ietf.org/html/draft-vrancken-oauth-redelegation-00 . If we
have a server that acts as a content manager or a mash-up for one or
multiple web services that uses OAuth and we want different clients to
connect to this server, with the standard, like it is today, we have 2
possibilities:
1. We distribute the OAuth credentials from the server to the different
client. (What is against the philosophy of OAuth and sometimes not even
possible)
2. We act as a proxy and the client can get all the content from our
server. (And why would we like to generate unnecessary internet traffic,
the idea of OAuth is to grant direct access)

If we assume that the server and the clients are part of 1 application
(act as one client/consumer) and we are not happy that credentials in
client applications could easily be hacked, the system described in the
ID will give some extra security. The hacked credentials are only valid
for one specific client. A policy could be that credentials on such
clients are more limited in time and limited in rights to improve the
security. The user mustn't be involved anymore to renew these
credentials, because the server could grant permission.

Another case could be that a user wants to grant a printing service (the
famous case in the original ID :-)) to have access to its private photos
stored at different photo sharing services, via a content manager. The
user shouldn't be bothered to go to the whole authorization flows again,
if the content manager could prove that he can act on the behalf of the
user.

These are just 2 cases, but I can assume there are a lot more...

Best regards,

Bart Vrancken