IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating sites where a token is valid

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 13 May 2010 06:53 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C78E03A6A88 for <oauth@core3.amsl.com>; Wed, 12 May 2010 23:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.036
X-Spam-Level: **
X-Spam-Status: No, score=2.036 tagged_above=-999 required=5 tests=[AWL=-0.863, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, J_CHICKENPOX_83=0.6, J_CHICKENPOX_84=0.6, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRjr+-iL6-Cf for <oauth@core3.amsl.com>; Wed, 12 May 2010 23:53:00 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by core3.amsl.com (Postfix) with ESMTP id 852A53A6A6C for <oauth@ietf.org>; Wed, 12 May 2010 23:52:59 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.53,220,1272808800"; d="scan'208";a="2529071"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipobni.tcif.telstra.com.au with ESMTP; 13 May 2010 16:52:47 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5980"; a="1942406"
Received: from wsmsg3752.srv.dir.telstra.com ([172.49.40.173]) by ipccni.tcif.telstra.com.au with ESMTP; 13 May 2010 16:52:47 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3752.srv.dir.telstra.com ([172.49.40.173]) with mapi; Thu, 13 May 2010 16:52:47 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Evan Gilbert <uidude@google.com>
Date: Thu, 13 May 2010 16:52:46 +1000
Thread-Topic: [OAUTH-WG] Indicating sites where a token is valid
Thread-Index: AcryXvM7bJh8Sj+7TVChwyJ89yKu9wAAFiaA
Message-ID: <255B9BB34FB7D647A506DC292726F6E112634655A4@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net> <AANLkTincZ8_0-t2r_Ey9BestA_knMciYsxRLyHcOvSVO@mail.gmail.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62@IMCMBX3.MITRE.ORG> <AANLkTilkUA9i-WZPv8PqPsxiJf5_1SuiCb_GOTdcwtPX@mail.gmail.com> <AANLkTilNNyKvpbzCYfc__AvY1rJKqXE7KN8VL-m_CF-L@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112633D9594@WSMSG3153V.srv.dir.telstra.com> <AANLkTim0PNhUJAi1ZuDjB8feKh2Sb_OMoNz7AlDTYO6P@mail.gmail.com>
In-Reply-To: <AANLkTim0PNhUJAi1ZuDjB8feKh2Sb_OMoNz7AlDTYO6P@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 06:53:00 -0000

Evan,

> The key point is that this discovery covers a lot of the same grounds as the sites parameter, and it's hard  to define semantics around a sites parameter without understanding the semantics of scopes and API endpoints.

I strongly disagree. The semantics are crystal clear:
  "Here is a token. It is INSECURE to send it anywhere not in this list."
These semantics are useful regardless of what the API does, how the client is using it, or how much (or how little) the client knows about the API.


> Clients need to [know] more about these links (at least the response format).

That knowledge comes from other standards (HTML, Atom, wiki of rel values...) and is totally independent of whether a token should or should not be sent.


> The mechanism they use to find out about these links - documentation, discovery, data returned with token request - could also provide the information about whether a token should be sent to a particular API.

Could, but shouldn't and doesn't in practise.
It is much much better to have the information about how to use a token securely delivered at the same time & place as receiving that token, and with minimal assumptions about how much the client apps knows about the service.


> I should be more concrete about the use cases I see. Let's assume there's an API where there are two endpoints, each with an associated permission
> - contacts.list permission -> http://contacts.serviceprovider.com/contacts/list
> - calendar.get permission -> http://calendar.serviceprovider.com/calendar/get
>
> If the response to an authorization request includes the authorized scopes (contacts.list, calendar.get), then the "sites" parameter is redundant.

I'll admit that "sites" is redundant if a client has *perfect* knowledge about a service, but so is pretty much any standard at that point.

Consider a generic search spider tool that you point at http://calendar.serviceprovider.com/calendar/get. It can do its job with no knowledge about what "calendar.get" means -- but it still needs to know (as it spiders along) when it is safe to expose the token.


--
James Manger

v2.23.0 | Report a Bug | By Email