[jdev] Open Auth

[Peter Saint-Andre]

Jonathan Dickinson wrote:
> Hi People,
> 
> Seems like people are taking OAuth seriously. Google has (apparently)
> recently rolled out support for it. Quoted:
> 
> "This is what OAuth does, it allows the you the User to grant access
> to your private resources on one site (which is called the Service
> Provider), to another site (called Consumer, not to be confused with
> you, the User). While OpenID is all about using a single identity to
> sign into many sites, OAuth is about giving access to your stuff
> without sharing your identity at all (or its secret parts)."
> 
> Maybe someone should have a look at this for a possible interop spec?
> Hit login, open a web page and authenticate: I suppose it works like
> the Facebook API in many ways (can store a permanent login token).
> 
> The nice thing about it, I guess, is that by supporting it we can
> remove the dependency of plain-text passwords in the DB (because you
> are in charge of how the passwords are checked, not X-amount of SASL
> mechanisms that collectively force you to store it in plain-text).

As far as I understand it, OAuth is for *authorization*, not 
*authentication*. So an XMPP service would use OAuth to allow someone to 
(say) publish to your PEP nodes, would not use it as a substitute for 
native authentication. IMHO, anyway.

Peter