Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
Justin Richer <jricher@mitre.org> Wed, 01 December 2010 21:36 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 169263A67B0 for <oauth@core3.amsl.com>; Wed, 1 Dec 2010 13:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfitHI6aMVFX for <oauth@core3.amsl.com>; Wed, 1 Dec 2010 13:36:13 -0800 (PST)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id A42BB3A672F for <oauth@ietf.org>; Wed, 1 Dec 2010 13:36:12 -0800 (PST)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id oB1LbQbL002006 for <oauth@ietf.org>; Wed, 1 Dec 2010 16:37:26 -0500
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id oB1LbQDr002003; Wed, 1 Dec 2010 16:37:26 -0500
Received: from [129.83.50.65] (129.83.50.65) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.2.254.0; Wed, 1 Dec 2010 16:37:25 -0500
From: Justin Richer <jricher@mitre.org>
To: David Primmer <primmer@google.com>
In-Reply-To: <AANLkTimuYhfNUNN0DDV9-Pa-_SP-c=Fb+jgkJd7aV=Pq@mail.gmail.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <AANLkTimuYhfNUNN0DDV9-Pa-_SP-c=Fb+jgkJd7aV=Pq@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 01 Dec 2010 16:37:24 -0500
Message-ID: <1291239444.32049.250.camel@pulse>
MIME-Version: 1.0
X-Mailer: Evolution 2.30.3
Content-Transfer-Encoding: 8bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 21:36:16 -0000
Just as a matter of clarification about the downscope language in the spec: The downscoping capability here is intended mostly for getting special-use tokens, for things like redelegation to other apps. So say I grant access to AppA with scope "read write", and AppA gets a refresh and access token. AppA can then present its refresh token to the token endpoint and request an access token with scope "read" in order to get a downscoped token (in this example, a read-only token), either to limit the vulnerabilities of tokens in flight or to hand to another app. The key is that AppA's request for a downscoped token with their previously-verified grant will not reprompt the user. -- Justin On Wed, 2010-12-01 at 16:17 -0500, David Primmer wrote: > As Eran pointed out, the way you've formatted your scope request, > you've only specified one scope and I'd guess to keep things simple > and consistent can either be approved or denied. I don't have a spec > reference about what happens when the user doesn't approve but I > assume the response is sent to the callback url. > > Now, what I heard in your email was a question about best-practices. > The developer requests a number of scopes and the approval page on the > authorization server allows the user to select which of those they > approve and reject the rest. I don't think this is the the way that > this sort of thing has been implemented for the most part. It's an > all-or-none deal on most of the larger providers these days. Microsoft > initially had a multiple choice UI for OAuth1 but I think they've > abandoned that. > > So the real question is: how do you make sure the developer sends > exactly what the user is prepared to approve to the AS, instead of > allowing downscoping during the approval step. The common way this > works out is either the developer knows they only need certain scopes > for their application and they're relatively static or it's a > selective disclosure system like you've described and the user needs > to pick what they're going to approve on the developer's site before > any browser redirects are done and those pre-filtered choices are sent > to the AS. > > hope this helps. > > davep > > On Fri, Nov 26, 2010 at 12:41 AM, Martin Ley <m.ley@tarent.de> wrote: > > Dear list, > > > > perhaps I've overread it in the specification or it was not explicit about > > my required scenario: > > > > > > The Web-Server-Flow is used. An application requests data about the user. > > The scopes are dateofbirth,isover18,address. Now the user is forwarded to > > the authorization server to identify and authenticate and give permissions > > to the applications. The user decides to give only permission for the > > isover18 scope but not dateofbirth and address. > > > > How would the application be notified about the granted scopes and the not > > granted scopes? > > > > Best regards > > > > Martin > > > > > > -- > > tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH > > Geschäftsführer: Boris Esser, Elmar Geese > > HRB AG Bonn 5168 - USt-ID (VAT): DE122264941 > > > > Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 > > Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30 > > Internet: http://www.tarent.de/ Telefax: +49 228 52675-25 > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Requesting mutliple scope, but user au… Martin Ley
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Eran Hammer-Lahav
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Nat Sakimura
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… David Primmer
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Justin Richer