Re: [OAUTH-WG] Registration: Scope Values
prateek mishra <prateek.mishra@oracle.com> Mon, 15 April 2013 17:00 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9879321F9613 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 10:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaXTcnC9Obnp for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 10:00:33 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 625C321F9593 for <oauth@ietf.org>; Mon, 15 Apr 2013 10:00:33 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r3FH0WbX028540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Mon, 15 Apr 2013 17:00:32 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r3FH0VP4002210 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Mon, 15 Apr 2013 17:00:32 GMT
Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r3FH0Vlq002203 for <oauth@ietf.org>; Mon, 15 Apr 2013 17:00:31 GMT
Received: from [10.152.55.88] (/10.152.55.88) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 15 Apr 2013 10:00:30 -0700
Message-ID: <516C322D.6050004@oracle.com>
Date: Mon, 15 Apr 2013 13:00:29 -0400
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: oauth@ietf.org
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org> <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com> <516C101F.2090706@mitre.org> <CA+ZpN27KNr0TLsAjt29PCQXqfFYkzP7Fr7y_2wibHfVu3R=UMA@mail.gmail.com> <516C1714.8070503@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------090505000307000903020107"
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 17:00:36 -0000
+1 > > I think that the existing wording is superior to the proposed changed > wording. The existing wording is: > > scope > > OPTIONAL. Space separated list of scope values (as described in > > OAuth 2.0 Section 3.3 [RFC6749] > <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client is > declaring that > > it may use when requesting access tokens. If omitted, an > > Authorization Server MAY register a Client with a default set of > > scopes. > > For instance, the current "client is declaring" wording will always be > correct, whereas as the change to "client can use" wording implies a > restriction on client behavior that is not always applicable. The > "client is declaring" wording was specific and purposefully chosen, > and I think should be retained. In particular, we can't do anything > that implies that only the registered scopes values can be used. At > the OAuth spec level, this is a hint as to possible future client > behavior -- not a restriction on future client behavior. > > Also, for the reasons that Tim stated, I'm strongly against any > "matching" or "regex" language in the spec pertaining to scopes -- as > it's not actionable. > > So I'd propose that we leave the existing scope wording in place. > Alternatively, I'd also be fine with deleting this feature entirely, > as I don't think it's useful in the general case. > > -- Mike > > *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On > Behalf Of *Justin Richer > *Sent:* Monday, April 15, 2013 8:05 AM > *To:* Tim Bray; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Registration: Scope Values > > On 04/15/2013 10:52 AM, Tim Bray wrote: > > I'd use the existing wording; it's perfectly clear. Failing that, if > there's strong demand for registration of structured scopes, bless the > use of regexes, either PCREs or some careful subset. > > > Thanks for the feedback -- Of these two choices, I'd rather leave it > as-is. > > > However, I'd subtract the sentence "If omitted, an Authorization > Server MAY register a Client with a default set of scopes." It adds > no value; if the client doesn't declare scopes, the client doesn't > declare scopes, that's all. -T > > > Remember, all of these fields aren't just for the client *request*, > they're also for the server's *response* to either a POST, PUT, or GET > request. (I didn't realize it, but perhaps the wording as stated right > now doesn't make that clear -- I need to fix that.) The value that it > adds is if the client doesn't ask for any particular scopes, the > server can still assign it scopes and the client can do something > smart with that. Dumb clients are allowed to ignore it if it doesn't > mean anything to them. > > This is how our server implementation actually works right now. If the > client doesn't ask for anything specific at registration, the server > hands it a bag of "default" scopes. Same thing happens at auth time -- > if the client doesn't ask for any particular scopes, the server hands > it all of its registered scopes as a default. Granted, on our server, > scopes are just simple strings right now, so they get compared at the > auth endpoint with an exact string-match metric and set-based logic. > > -- Justin > > > On Mon, Apr 15, 2013 at 7:35 AM, Justin Richer <jricher@mitre.org > <mailto:jricher@mitre.org>> wrote: > > What would you suggest for wording here, then? Keeping in mind that we > cannot (and don't want to) prohibit expression-based scopes. > > -- Justin > > On 04/15/2013 10:33 AM, Tim Bray wrote: > > No, I mean it's not interoperable at the software-developer level. > I can't register scopes at authorization time with any > predictable effect that I can write code to support, either client > or server side, without out-of-line non-interoperable knowledge > about the behavior of the server. > > I guess I'm just not used to OAuth's culture of having no > expectation that things will be specified tightly enough that I > can write code to implement as specified. -T > > On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org > <mailto:jricher@mitre.org>> wrote: > > Scopes aren't meant to be interoperable between services since > they're necessarily API-specific. The only interoperable bit is > that there's *some* place to put the values and that it's > expressed as a bag of space-separated strings. How those strings > get interpreted and enforced (which is really what's at stake > here) is up to the AS and PR (or a higher-level protocol like UMA). > > -- Justin > > On 04/15/2013 10:13 AM, Tim Bray wrote: > > This, as written, has zero interoperability. I think this > feature can really only be made useful in the case where > scopes are fixed strings. > > -T > > On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org > <mailto:jricher@mitre.org>> wrote: > > You are correct that the idea behind the "scope" parameter at > registration is a constraint on authorization-time scopes that > are made available. It's both a means for the client to > request a set of valid scopes and for the server to provision > (and echo back to the client) a set of valid scopes. > > I *really* don't want to try to define a matching language for > scope expressions. For that to work, all servers would need to > be able to process the regular expressions for all clients, > even if the servers themselves only support simple-string > scope values. Any regular expression syntax we pick here is > guaranteed to be incompatible with something, and I think the > complexity doesn't buy much. Also, I think you suddenly have a > potential security issue if you have a bad regex in place on > either end. > > As it stands today, the server can interpret the incoming > registration scopes and enforce them however it wants to. The > real trick comes not from assigning the values to a particular > client but to enforcing them, and I think that's always going > to be service-specific. We're just not as clear on that as we > could be. > > After looking over everyone's comments so far, I'd like to > propose the following text for that section: > > scope > > OPTIONAL. Space separated list of scope values (as described in > > OAuth 2.0Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when > > requesting access tokens. As scope values are service-specific, > > the Authorization Server MAY define its own matching rules when > > determining if a scope value used during an authorization request > > is valid according to the scope values assigned during > > registration. Possible matching rules include wildcard patterns, > > regular expressions, or exactly matching the string. If omitted, > > an Authorization Server MAY register a Client with a default > > set of scopes. > > > Comments? Improvements? > > -- Justin > > On 04/14/2013 08:23 PM, Manger, James H wrote: > > Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow. > > > > So ideally registration should accept rules for matching scopes, as opposed to actual scope values. > > > > You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*"). > > > > Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match. > > > > -- > > James Manger > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Manger, James H
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values prateek mishra
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values John Bradley
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer