A method and system for enabling a user to authorize a client, acting
under the directed of a first resource, to access a second resource.
Before the client accesses the second resource, client programming, that
is autonomous of the first and second resources, redirects the client to
an authorization service that is also autonomous of the first and second
resource. The authorization service authenticates the user, identifies
policy data, if any, associated with the user and the first resource, and
then returns to the client an interface generated according to the
identified policy data, if any, enabling the user to grant or deny
authorization. Where policy data does not exist, the authorization
service returns an interface to the client enabling the user to set
policy data.