[Wg-uma] Fwd: Use Case: Consumer delegate
eve at xmlgrrl.com
Thu Oct 8 12:22:19 EDT 2009
Begin forwarded message:
> From: Eve Maler <eve at xmlgrrl.com>
> Date: 8 October 2009 6:58:23 AM PDT
> To: Michael Hanson <mhanson at spflrc.org>
> Subject: Re: Use Case: Consumer delegate
> Hi Michael-- I'm sorry not to have responded till now! Are you
> willing to forward to the group for discussion today?
> We may have several different variants of this scenario to
> consider. I was originally thinking of the "base" case where the
> Requesting Party (thinking legal-ish terms) is a person, and is the
> same person as the Authorizing User -- and then a variant case where
> the Requesting Party is a company, and is the company that runs the
> Requester application -- and I think yours still a different variant
> case where the the Requesting Party is a company that outsources a
> job to the Requester app.
> On 7 Oct 2009, at 3:08 PM, Michael Hanson wrote:
>> Trying to write this as concisely as possible to capture the idea
>> we were talking about.
>> Use Case: Requester Delegate
>> The requester may be using a hosted service, which may need to make
>> requests on its behalf.
>> Problem Scenario:
>> The user has entered a relationship with BizService, and wants to
>> authorize it to access her calendar. BizService is using a website
>> hosted by BizTools, which is the entity that will initiate all
>> network activity and actually hold the tokens generated during the
>> The user should be able to authorize BizService to access her data,
>> without granting any privileges to BizTools, and without granting
>> privileges to any other company hosted by BizTools. This should be
>> done in a way that does not allow BizTools to impersonate BizService.
>> Let us assume for now that BizService is providing a network
>> endpoint that has the necessary capabilities for the solution
>> scenario -- if the service is fully hosted by BizTools, there's not
>> really a technical fix for impersonation.
>> * Does the user need to be aware of BizTools, or can she grant
>> authorization to BizService in a way that allows BizService to
>> relay access?
>> * Does this scenario require an explicit model of delegation
>> enforced by the AM, so that BizService can't hand off an access
>> token to anybody they want?
>> <UMA diagram.jpg>
> Eve Maler
> eve at xmlgrrl.com
eve at xmlgrrl.com
More information about the Wg-uma