Re: [Gen-art] [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt

Mike Jones <> Wed, 11 April 2012 00:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F4D811E812C; Tue, 10 Apr 2012 17:25:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.732
X-Spam-Status: No, score=-3.732 tagged_above=-999 required=5 tests=[AWL=-0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0YI2aBARC2Y2; Tue, 10 Apr 2012 17:25:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 705F211E80FD; Tue, 10 Apr 2012 17:25:06 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server id; Wed, 11 Apr 2012 00:25:05 +0000
Received: from mail193-ch1 (localhost []) by (Postfix) with ESMTP id 7766E2602ED; Wed, 11 Apr 2012 00:25:05 +0000 (UTC)
X-SpamScore: -26
X-BigFish: VS-26(zz9371I542Mzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI;; RD:none; EFVD:NLI
Received-SPF: pass (mail193-ch1: domain of designates as permitted sender) client-ip=;; ; ;
Received: from mail193-ch1 (localhost.localdomain []) by mail193-ch1 (MessageSwitch) id 1334103903768780_14168; Wed, 11 Apr 2012 00:25:03 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTP id B6DDD1C0055; Wed, 11 Apr 2012 00:25:03 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 11 Apr 2012 00:25:03 +0000
Received: from ([]) by ([]) with mapi id 14.02.0283.004; Wed, 11 Apr 2012 00:25:02 +0000
From: Mike Jones <>
To: Alexey Melnikov <>, "" <>
Thread-Topic: [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt
Thread-Index: Ac0XeYjHJBC3cdHfRaCIvdSewfDQIQ==
Date: Wed, 11 Apr 2012 00:25:02 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: General Area Review Team <>, "" <>, The IESG <>
Subject: Re: [Gen-art] [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Apr 2012 00:25:07 -0000

Hi Alexey,

About your issue 1:  The OAuth Core spec, where "scope" is primarily defined, includes the sentence "The [scope] strings are defined by the authorization server" (see  I could add that clarification to the Bearer spec as well to make it clear that the scope values are context-dependent, if that would address your concern.

About your issue 2:  Investigating the OAuth Errors Registry a bit further (see while I'd like to be able to register the OAuth Bearer errors in this registry, what I believe to be a defect in the errors registry text currently prevents this.  Specifically, the registry enumerates only three "Error usage location" values:  authorization code grant error response, implicit grant error response, and token error response.  To be able to use this registry, it would also have to have a fourth usage location:  "resource access error response".  If you'd like to file an issue against the OAuth Core spec to get this additional usage location added to the registry, then I'd be glad to use it.  I believe that this would be significantly preferable to adding a separate OAuth Bearer errors registry that's exactly like the general-purpose one, only separate from it.

				Best wishes,
				-- Mike

-----Original Message-----
From: [] On Behalf Of Alexey Melnikov
Sent: Tuesday, April 10, 2012 7:03 AM
Cc: General Area Review Team;; The IESG
Subject: [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt

I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <>.

Please resolve these comments along with any other Last Call comments you may receive.
Document: draft-ietf-oauth-v2-bearer-18.txt
Reviewer: Alexey Melnikov
Review Date: 10 April 2012
IETF LC End Date: 7 Feb 2012
IESG Telechat date: 12 April 2012

Summary: Nearly ready to be published as Proposed Standard, with a couple of things that should be addressed or at least discussed.

Thank you for addressing most of my other issues. However there are a couple remaining which I think are important.

Major Issues:

    The "scope" attribute is a space-delimited list of scope values
    indicating the required scope of the access token for accessing the
    requested resource.  In some cases, the "scope" value will be used
    when requesting a new access token with sufficient scope of access to
    utilize the protected resource.  The "scope" attribute MUST NOT
    appear more than once.  The "scope" value is intended for
    programmatic use and is not meant to be displayed to end users.

I don't think this provide enough information about what this is, how it is to be used and which values are allowed. As this is not meant to be displayed to end users, then you need to say what values are allowed and which entity can allocate them. Is there a registry for these tokens, e.g. an IANA registry?

The editor provided explanation in email, however this was not reflected in any version of the draft.

2). Section "3.1.  Error Codes"

I've suggested to use an IANA registry for this field. Apparently there is already a registry created by <>. 
However this document doesn't register values defined in section 3.1 with IANA and doesn't point to draft-ietf-oauth-v2-23 for the registry. 
I find this to be very confusing.

Minor issues: none

Nits: none

OAuth mailing list