This is a job for... OAuth...

[Nika Jones <njones@ouno.com>]

Well, I'd think so, but I'm not sure it will work, thus I have the  
following problem:

Say, I would like for my client to upload a file via FTP to my sever.  
They have a simple headless terminal application of, "their own  
design," which handles the file upload, so --no browser.

Within the file they upload I've embedded an XRI identifier, A batch  
job runs on the server the file was uploaded to, grabbing the XRI  
identifier from the file and does a proxy resolution for the XRI.

Now here's the catch, the service resolved from the proxy resolution  
should return a private resource. So, this is something that only  
should be returned if the user who uploaded the file has authorization.

Normally one would use OAuth in this situation, right, to assign  
rights to a third-party, right? However because FTP was used  as the  
first leg, there seems to be no way manage the relationship between  
all parties (using redirects and all of the niceties of HTTP).

Has any one dealt with a problem such as this before? If so any ideas  
on a possible solution? Another way to phrase the question is; if you  
have a "protected" resource managed by XRDS discovery, what are best  
practices to protect that resource?

Regards,

Nika