[Wg-uma] Fwd: Use Case: Consumer delegate

Eve Maler eve at xmlgrrl.com
Thu Oct 8 12:22:19 EDT 2009

Begin forwarded message:

> From: Eve Maler <eve at xmlgrrl.com>
> Date: 8 October 2009 6:58:23 AM PDT
> To: Michael Hanson <mhanson at spflrc.org>
> Subject: Re: Use Case: Consumer delegate
> Hi Michael-- I'm sorry not to have responded till now!  Are you  
> willing to forward to the group for discussion today?
> We may have several different variants of this scenario to  
> consider.  I was originally thinking of the "base" case where the  
> Requesting Party (thinking legal-ish terms) is a person, and is the  
> same person as the Authorizing User -- and then a variant case where  
> the Requesting Party is a company, and is the company that runs the  
> Requester application -- and I think yours still a different variant  
> case where the the Requesting Party is a company that outsources a  
> job to the Requester app.
> 	Eve
> On 7 Oct 2009, at 3:08 PM, Michael Hanson wrote:
>> Trying to write this as concisely as possible to capture the idea  
>> we were talking about.
>> Use Case: Requester Delegate
>> The requester may be using a hosted service, which may need to make  
>> requests on its behalf.
>> Problem Scenario:
>> The user has entered a relationship with BizService, and wants to  
>> authorize it to access her calendar.  BizService is using a website  
>> hosted by BizTools, which is the entity that will initiate all  
>> network activity and actually hold the tokens generated during the  
>> transaction.
>> The user should be able to authorize BizService to access her data,  
>> without granting any privileges to BizTools, and without granting  
>> privileges to any other company hosted by BizTools.  This should be  
>> done in a way that does not allow BizTools to impersonate BizService.
>> Let us assume for now that BizService is providing a network  
>> endpoint that has the necessary capabilities for the solution  
>> scenario -- if the service is fully hosted by BizTools, there's not  
>> really a technical fix for impersonation.
>> Issues:
>> * Does the user need to be aware of BizTools, or can she grant  
>> authorization to BizService in a way that allows BizService to  
>> relay access?
>> * Does this scenario require an explicit model of delegation  
>> enforced by the AM, so that BizService can't hand off an access  
>> token to anybody they want?
>> <UMA diagram.jpg>
> Eve Maler
> eve at xmlgrrl.com
> http://www.xmlgrrl.com/blog

Eve Maler
eve at xmlgrrl.com

More information about the Wg-uma mailing list