From Arnout Engelen

See also:

• people talking about this problem in case of podcasts
• article about this problem in RSS for libraries
• specifying restrictions on redistributions in RSS/ATOM
• opensocial must have this problem, i wonder if (and if so, how) it addresses that.

Sometimes you'd want to give a (web)application partial access to your data at another (web)application: for example I can imagine I'd want to allow some applications (but not everyone) to look at my free/busy time in google calendar.

Perhaps something could be built on OpenID?

Are there standards for managing that kind of stuff?

I imagine application X would redirect me to a special page at Google Calendar where I'd log in and configure the level of access, after which google calendar would generate some credentials for application X to use so with those credentials application X would get restricted access to my google calendar data

I suppose the problem can be sliced up as follows:

• Communicating to the Content Repository (e.g. Google Calendar) that application X would like access on behalf of user A.
• (user logs into Content Repository, configures access for application X and any restrictions)
• Communicating the credentials with which Application X can access the Content Repository on behalf of user A to the Content Repository.

And finally:

• Application X using these credentials to access user A's content in the Content Repository

Contents 1 application X would like access on behalf of user A 2 Communicating the credentials back to the Content Repository 3 using these credentials to access user A's content in the Content Repository 4 Implementations

[edit] application X would like access on behalf of user A

Perhaps this could be done with a XACML redirect?

[edit] Communicating the credentials back to the Content Repository

Can we use some XACML reply? Not sure.

[edit] using these credentials to access user A's content in the Content Repository

This should maybe be free, but HTTP BASIC AUTH seems to be a reasonable default (don't forget to use SSL though, otherwise username/pass get sent over in plaintext).

This allows application X be written largely in AJAX/Javascript, see here.

The username/password can, but don't neccecarily have to be checked by Apache: it can also just pass on the password for the application to process.

[edit] Implementations

I wonder if the Yahoo! api does something smart here - probably a DigiD/SAML-like approach though.