Re: [kitten] [OAUTH-WG] minor issue with scope and RFC 6749 ABNF in sasl-oauth
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 24 March 2015 06:12 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0271B2CA0; Mon, 23 Mar 2015 23:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.251
X-Spam-Level:
X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B52BfY3YOvUX; Mon, 23 Mar 2015 23:12:46 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC611A8836; Mon, 23 Mar 2015 23:12:46 -0700 (PDT)
Received: from [80.187.100.210] (helo=[10.132.251.125]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1YaI4x-0008BL-Vt; Tue, 24 Mar 2015 07:12:44 +0100
User-Agent: K-9 Mail for Android
In-Reply-To: <alpine.GSO.1.10.1503230110340.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1503230110340.22210@multics.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----517IOCS8HCBJ0L7AJSKYP58PJB267O"
Content-Transfer-Encoding: 8bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 24 Mar 2015 07:12:41 +0100
To: Benjamin Kaduk <kaduk@MIT.EDU>, kitten@ietf.org
Message-ID: <F8E09C08-65F1-47A5-86EA-B36E68BFAEBD@lodderstedt.net>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/_zLijZE9h-DVK_YDwN7myFRBy3U>
Cc: oauth@ietf.org
Subject: Re: [kitten] [OAUTH-WG] minor issue with scope and RFC 6749 ABNF in sasl-oauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 06:12:50 -0000
Hi Benjamin, in my opinion, your proposal sound reasonable from a protocol perspective. kind regards, Torsten. Am 23. März 2015 06:26:20 MEZ, schrieb Benjamin Kaduk <kaduk@MIT.EDU>: >Hi all, > >During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I >noticed >an old comment from Matt back in December 2013, in >http://www.ietf.org/mail-archive/web/kitten/current/msg04488.html . > >The relevant point here is that sending a scope of "" (the empty >string) >during the authorization request violates the ABNF in RFC 6749. (The >other concerns seem to have been addressed by suggesting that a single >scope be used, when recommending against a space-separated list.) > >In the current draft-ietf-kitten-sasl-oauth-19, in section 3.2.2 >("Server >Response to Failed Authentication"), we provide a way for the server to >tell the client what scope to use, in a custom JSON message defined in >the >sasl-oauth document. This error response has no obligation to comply >to >the ABNF of RFC 6749, so saying both that the scope field is optional >and >that it "may be empty which implies that unscoped tokens are required, >or >a scope value" does not cause any compliance issues. However, a few >paragraphs down, we furthermore say that "[i]f the resource server >provides no scope to the client then the client SHOULD presume an empty >scope (unscoped token) is required to access the resource." The phrase >"empty scope" here is concerning, and seems to suggest sending >scope="", >which is disallowed by RFC 6749. > >The simple fix would be to just replace "empty scope (unscoped token)" >with "unscoped token". > >However, it is a bit aesthetically unpleasing to have our new JSON >structure diverge from the existing ABNF guidelines; we may wish to >just >utilize the optionality of the scope field in the server's response to >failed authentication, and remove the mention of an empty value for >that >field. This proposal is a change to the wire protocol, and so we would >need consensus from the working group to move forward with it -- in >particular, we would like to know if there are existing implementations >which would be affected by this change. > >Please comment about the proposal to remove the option of an empty >scope >in the server's response to failed authentication, both from the >protocol >change standpoint and from its effects on existing implementations. > >Thank you, > >Ben > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
- [kitten] minor issue with scope and RFC 6749 ABNF… Benjamin Kaduk
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Jamie Nicolson
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Torsten Lodderstedt
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Benjamin Kaduk