On 07/22/2009 05:11 PM, Ryan Lane wrote:
On Wed, Jul 22, 2009 at 3:49 PM, Gregory
Maxwell<gmaxwell(a)gmail.com> wrote:
If it has your credentials it can impersonate
you, which is bad.
It addressed by making it possible for the site to generate access
cookies for particular resources which you could share. I.e.
"generate a code that gives someone read only access to my watchlist".
What about OpenID + OAuth?
In theory yes, I'd like to support that sort of thing.
(For those unfamiliar: this would allow third party tools or sites to
request limited access on a user's behalf, without exposing the user's
password credentials to that third-party tool. The user would need to
agree to exactly which information would be provided to the tool, and
would be able to revoke the access in the future.
This is broadly similar to the authorization for Flickr API clients and
Facebook apps, but lots of sites are transitioning from their older
proprietary protocols for this to OpenID+OAuth.)
-- brion