Re: [kitten] [OAUTH-WG] minor issue with scope and RFC 6749 ABNF in sasl-oauth
Jamie Nicolson <nicolson@google.com> Mon, 23 March 2015 20:20 UTC
Return-Path: <nicolson@google.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18B2E1B29D7 for <kitten@ietfa.amsl.com>; Mon, 23 Mar 2015 13:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Kz2zsZnIGiM for <kitten@ietfa.amsl.com>; Mon, 23 Mar 2015 13:20:19 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F061B29D5 for <kitten@ietf.org>; Mon, 23 Mar 2015 13:20:19 -0700 (PDT)
Received: by ignm3 with SMTP id m3so39637221ign.0 for <kitten@ietf.org>; Mon, 23 Mar 2015 13:20:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YzsA+3wgBzhydAQsqce+uypq9B5vKSw7m1FWAmouGT4=; b=bjIXUoAYYnU6cDz3CCUJmjunCDHP2OD7QC/XrW9eHN2tJFAR1SwvD9/baDZxr+v/VI ZfaQY6+13DkyAyhX+bx7yDNot4YTjclLA4+ggt+qvX7BVPwz7EL5UJcKgd2vS+kt2ZF1 DBWqVy5gUTTMdBOvr7VHcsCpBekHBFjao0muRpcIdhLP/nQteNI0+hdfnImMKmzuKqpA IkZ7W7Z/Trv9IKNXyCjmXo78bLdnLfWOYDo1hQCTbIgv6QqZxSxIUoTnbpJ+NNRzaQxv StSMfjA4ZRS6BhWPhqNriqKVszlIeQ5uiB1pbRw30LceySBNjQypst3A2sdXfah0CmyV qbqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=YzsA+3wgBzhydAQsqce+uypq9B5vKSw7m1FWAmouGT4=; b=OgbJjdU9U4x/3OaZueEzcWRlynfSzNBf0wyW+d8JswV3V2Ykw7yp9x0mlqmHWPJlAZ wQ+sO+spvxGkuuYsywIkPRqRliQ8WfEbJkTIqPWRj5QOekBBlm8Ki0+kmgN0AU/BN7V6 hf3evWx4kzgqiEGocdM+8MAeqmrw1p7K67Uc5spgNzHUCy+LfkiaXUwRrm1et0QfjnkN rhJacXGXwVb2WDspd3O9Qh23DjGrXoPskUmNwoLFS+ngq2QUMTaenp8XeXJf2WHh1djz v3WVuStyrbCNWj1UCEu8KerczwASHG6J9zgjxQyqTLCj9f6mZ77On03rdVo7xB6bUD8i cCEQ==
X-Gm-Message-State: ALoCoQknn408+1KnRdNckKLBhEvLBEUWvcOXVvxkGmmKxd+8OMCfcPI4GgZnEiLpwnqBtCwlc6DY
X-Received: by 10.43.142.5 with SMTP id jg5mr10588428icc.33.1427142018873; Mon, 23 Mar 2015 13:20:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.86.7 with HTTP; Mon, 23 Mar 2015 13:19:48 -0700 (PDT)
In-Reply-To: <alpine.GSO.1.10.1503230110340.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1503230110340.22210@multics.mit.edu>
From: Jamie Nicolson <nicolson@google.com>
Date: Mon, 23 Mar 2015 13:19:48 -0700
Message-ID: <CACU8CfTiCFfz44HwS7iOjt8tbq5s1NfNdjf0h9wmND5xe7+yzg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="001a11c2da1a145ec00511fa6526"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/csY63ZuhcY6rhZUB6E4KpWiqBFg>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [kitten] [OAUTH-WG] minor issue with scope and RFC 6749 ABNF in sasl-oauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 20:20:21 -0000
Gmail always returns a non-empty scope value in our error response, so the proposed protocol change would not affect our implementation. On Sun, Mar 22, 2015 at 10:26 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi all, > > During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I noticed > an old comment from Matt back in December 2013, in > http://www.ietf.org/mail-archive/web/kitten/current/msg04488.html . > > The relevant point here is that sending a scope of "" (the empty string) > during the authorization request violates the ABNF in RFC 6749. (The > other concerns seem to have been addressed by suggesting that a single > scope be used, when recommending against a space-separated list.) > > In the current draft-ietf-kitten-sasl-oauth-19, in section 3.2.2 ("Server > Response to Failed Authentication"), we provide a way for the server to > tell the client what scope to use, in a custom JSON message defined in the > sasl-oauth document. This error response has no obligation to comply to > the ABNF of RFC 6749, so saying both that the scope field is optional and > that it "may be empty which implies that unscoped tokens are required, or > a scope value" does not cause any compliance issues. However, a few > paragraphs down, we furthermore say that "[i]f the resource server > provides no scope to the client then the client SHOULD presume an empty > scope (unscoped token) is required to access the resource." The phrase > "empty scope" here is concerning, and seems to suggest sending scope="", > which is disallowed by RFC 6749. > > The simple fix would be to just replace "empty scope (unscoped token)" > with "unscoped token". > > However, it is a bit aesthetically unpleasing to have our new JSON > structure diverge from the existing ABNF guidelines; we may wish to just > utilize the optionality of the scope field in the server's response to > failed authentication, and remove the mention of an empty value for that > field. This proposal is a change to the wire protocol, and so we would > need consensus from the working group to move forward with it -- in > particular, we would like to know if there are existing implementations > which would be affected by this change. > > Please comment about the proposal to remove the option of an empty scope > in the server's response to failed authentication, both from the protocol > change standpoint and from its effects on existing implementations. > > Thank you, > > Ben > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [kitten] minor issue with scope and RFC 6749 ABNF… Benjamin Kaduk
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Jamie Nicolson
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Torsten Lodderstedt
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Benjamin Kaduk