adding SEPs with OAuth

[Markus Sabadello <markus.sabadello@xdi.org>]

Hello,

I revisited an old use case that has come up in the XRI TC a few times:
If you have an i-name, how can a third party i-service provider add a SEP to your XRD in order to point to their service?

The scenario we talked about a few times was a "Busy Status" provider which would indicate whether you are available/busy/etc.





This provider could display your status page at =yourname/(+busy), but how does an appropriate SEP get installed in the user's XRD, without the user having to add it manually at the i-broker?

No problem with OAuth, I said to myself, and so here are 2 demo "Busy Status" providers for your i-name:





busystatus.com is a simple, easy-to-use provider that allows you to indicate your Busy Status with a simple checkbox - either you are busy or not!

buzymazterz.com on the other hand is for those who love a rich feature set. It allows you to choose between FOUR different Busy Statuses and even enter a textual description for your personal Busy Status page!





So.. You can now choose between one of the above Busy Status providers. You go to their site, sign in with your i-name, configure your Busy Status, and then click on "Set up your i-name", which will try to configure your i-name on your behalf via OAuth.





After that, people should be able to view your Busy Status via =yourname/(+busy) or =web*yourname/(+busy) or whatever your i-name is. You can even switch between the two providers if you're not happy with your current one.





The only missing piece right now in this demo is how can those providers (which are consumers in the OAuth terminology) discover the i-broker's OAuth endpoints? Currently in the demo this is hardcoded, i.e. the above only works with i-names from freexri.com or fullxri.com.





Here are my questions to anyone who reads this..

1. How does OAuth Discovery fit into this? I assume the way it should work is that every i-name's XRD should have a SEP of type http://oauth.net/discovery/1.0, which would point to another XRD that contains all the OAuth Discovery stuff. Then any third party i-service could be registered with any i-name.





2. Is this just useful in the XRI world, or would it also make sense for non-XRI XRDs? This could be relevant to some very recent topics of the XRI TC. Joseph mentioned a CRUD API for XRD. Would it make sense to expose this whole API via OAuth? Would it be good practice for XRDs on the web with an OpenID SEP (uh, excuse me, I mean link) to also have an OAuth link that allows modifications to the XRD itself?



3. Currently the freexri.com and fullxri.com OAuth endpoints only support a single operation: "Add SEP to XRD". The OAuth details are described here: http://oauth.freexri.com. I know that there are some true OAuth experts on this list :) If you have time, maybe you could review what I wrote on that page, since this is the first time I do anything with OAuth.



In the XDI world, the same pattern could be used if a third party provider wants to add XDI statements to a user's XDI context on their behalf.

Markus