Re: [OAUTH-WG] Scope - Coming to a Consensus

Justin Smith <justinsm@microsoft.com> Fri, 30 April 2010 22:04 UTC

Return-Path: <justinsm@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D333F3A6A0B for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level:
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_62=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WTOusGcruey for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 15:04:00 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id 763DD3A68E1 for <oauth@ietf.org>; Fri, 30 Apr 2010 15:03:59 -0700 (PDT)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.178) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 30 Apr 2010 15:03:45 -0700
Received: from TK5EX14MBXC115.redmond.corp.microsoft.com ([169.254.4.129]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi; Fri, 30 Apr 2010 15:03:43 -0700
From: Justin Smith <justinsm@microsoft.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Scope - Coming to a Consensus
Thread-Index: AQHK6Jj02D6vmsUg2UKTY8by4O8/65I78i8AgAAF4gD//5gCcA==
Date: Fri, 30 Apr 2010 22:01:35 +0000
Deferred-Delivery: Fri, 30 Apr 2010 22:02:00 +0000
Message-ID: <191F411E00E19F4E943ECDB6D65C60851695A6A4@TK5EX14MBXC115.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E723439321772EF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C80078D0.2D681%atom@yahoo-inc.com> <m2tc334d54e1004301352zf2a7f1cbi3fc90525ffddbf8@mail.gmail.com> <m2jce1325031004301413x6f4b3341h5e8844311d109a79@mail.gmail.com>
In-Reply-To: <m2jce1325031004301413x6f4b3341h5e8844311d109a79@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Scope - Coming to a Consensus
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 22:04:01 -0000

Piling on: +1 for #3.

--justin

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Pelle Braendgaard
Sent: Friday, April 30, 2010 2:13 PM
To: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Scope - Coming to a Consensus

+1 for #3

Since google implemented I always thought it an elegant simple way of
requesting access.

On Fri, Apr 30, 2010 at 4:52 PM, Joseph Smarr <jsmarr@gmail.com> wrote:
> I also vote for #3. I think our field experience has shown that a) lack of a
> standard place to stick scope info in access token requests leads to
> per-provider inconsistencies that further complicate libraries, b) lots of
> providers do want to offer scoped access tokens (and show the list of scopes
> being requested on consent UI), and c) we're likely to want to have some
> cross-vendor standard scopes (e.g. "access profile data", PoCo, "post
> activities", etc.) so it's natural to express those as URIs, thus favoring
> space-delimited scope values.
> Thanks,js
>
> On Fri, Apr 30, 2010 at 12:08 PM, Allen Tom <atom@yahoo-inc.com> wrote:
>>
>> I vote for #3
>>
>> There are already plenty of implementations that use a scope parameter:
>>
>> Facebook:
>> http://developers.facebook.com/docs/authentication/
>>
>> Google:
>> http://code.google.com/apis/accounts/docs/OAuth_ref.html#RequestToken
>>
>> Flickr: (called "perm")
>> http://www.flickr.com/services/api/auth.spec.html
>>
>> Yahoo currently requires developers to tell us the scopes that they need
>> when registering for a consumer key. We've received plenty of feedback
>> that
>> developers would rather specify the scope(s) at authorization time, so we
>> would support a multi-valued scope parameter. Space is a reasonable
>> delimiter.
>>
>> Allen
>>
>>
>>
>> On 4/30/10 8:43 AM, "Eran Hammer-Lahav" <eran@hueniverse.com> wrote:
>>
>> >
>> > 3. Space-Delimited Scope Parameter Value
>> >
>> > Define a 'scope' parameter with value of space-delimited strings (which
>> > can
>> > include any character that is not a space - the entire parameter value
>> > is
>> > encoded per the transport rules regardless). Space allows using URIs or
>> > simple
>> > strings as values.
>> >
>> > Pros:
>> >
>> > - A separator-delimited list of values is the common format for scope
>> > parameters in existing implementations and represents actual deployment
>> > experience.
>> > - Most vendors define a set of opaque strings used for requesting scope.
>> > This
>> > enables libraries to concatenate these in a standard way.
>> > - Enables simple extensions in the future for discovering which scope is
>> > required by each resource.
>> >
>> > Cons:
>> >
>> > - Defining a format without a discovery method for the values needs
>> > doesn't
>> > offer much more than the other options.
>> > - Doesn't go far enough to actually achieve interoperability.
>> > - Adds complexity for little value.
>> >
>> >
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>



-- 
http://agree2.com - Reach Agreement!
http://extraeagle.com - Solutions for the electronic Extra Legal world
http://stakeventures.com - Bootstrapping blog
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth