clauwa.info

I am currently looking at the oAuth protocol, asking myself what is possible with oAuth and what is not possible?

Basically if you look at the oAuth flow diagram, you can see that the data sharing process is initiated by the Consumer (i.e. by a user stating on the Consumer application that he wants to allow the Consumer application to use resources stored on another application, called Provider). The Consumer sends a signed request to the Provider in order to get an unauthorized request token. This token must be authorized at the Provider by the user who owns the protected resources. Therefore the user is redirected from the Consumer site to the Service Provider’s site (see step C in the flow diagram) where he must authenticate. OAuth does not specify how the Service Provider authenticates the user. It only defines that the Service Provider must verify the User’s identity in order to prove if the user is authorized to grant or deny access to any Consumers.

In normal Social Web application basically only the owner of a user account will be authorized to grant or deny access to resources stored on this account. Therefore the user can authenticate at the Service Provider simply via log in to the web application.

All in all that means the basic use case for oAuth is to control data sharing across applications acting on behalf of ONE user.

For example a user U controls via oAuth which Consumer applications (acting on behalf of the user U) are allowed to share which parts of the protected resources, which are stored on a  Provider application acting on behalf of user U and for which user U is authorized to control the access.

Would it be also possible to use oAuth to control data sharing across applications acting on behalf of different users?

For example would it possible that the user U of flickr states that he wants to share his picture with the user B of facebook? In this case a flickr client acting on behalf of user U would be the Provider and a facebook client acting on behalf of user B would be the Consumer. In this case the redirection of the user B from the Consumer site (facebook) to the Service Provider site (flickr) makes no sense, because the user B only owns the facebook account and the associated resources. Instead a notification should be sent to the user U, because user U should go the Provider site and grant or deny access to the request send by the Consumer client belonging to user B.

In this cross-user-cross-application data sharing use case,  the initiation of the data sharing process should be able to be started by the Provider or the Consumer. If the Provider client directly starts the data sharing process, he can directly send the request token to the desired Consumer. The Consumer then needs to care about that the user owning the protected resources goes to the Service Provider and authorizes the Consumer’s request token.