[OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for Mail, Calendar, and Contact Access
Clinton Bunch <cdbunch@emeraldgroupware.org> Sun, 20 July 2025 19:31 UTC
Return-Path: <cdbunch@emeraldgroupware.org>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 127C346DC275 for <oauth@mail2.ietf.org>; Sun, 20 Jul 2025 12:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=emeraldgroupware.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35rt9ikhFhzg for <oauth@mail2.ietf.org>; Sun, 20 Jul 2025 12:31:46 -0700 (PDT)
Received: from iris.zentaur.org (iris.zentaur.org [198.58.127.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CB85346DC26E for <oauth@ietf.org>; Sun, 20 Jul 2025 12:31:46 -0700 (PDT)
Received: from iris.zentaur.org (localhost [127.0.0.1]) by iris.zentaur.org (Postfix) with ESMTP id 4blYYt37xSz3wZy for <oauth@ietf.org>; Sun, 20 Jul 2025 19:31:46 +0000 (UTC)
Authentication-Results: iris.zentaur.org (amavis); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=emeraldgroupware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= emeraldgroupware.org; h=in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :content-type; s=dkim20240912; t=1753039905; x=1753043506; bh=CE ftoFMxIZimbFbS1GRLPVCpAQBpXLGppjpnwV2IdEo=; b=A/xT3tZMNt7U14nTKQ V7504tHD+WTrFXUzc0ppFBNZMOk/77NSWZ2QObWs7edv8U0eZvSg2UvNcD5hVc7l uKn/Zc6BI3UR5XyZSMzS/XX1YbH7QswYwd770Qg/Y7gES7UnUA3vPQ9x5KO5WXFC bIvvicCSe/tNsXvvGc9akIntysSYXUvuYibQabn5AyGKcZtcrfQxaRxO0Tna0ahP HWfm0nB2Zoftv9Dlm6DyKJNCSmts9AlKKCY4LDgeZQL/U46yJbsfuQvYp5WtZi9w ktkbK4p2Z/8SqZ7yhVBxs/dPeg1I9xWyJzKcnOs83JojnKtpVR+7P1qMsg0/32TT rt6Q==
X-Virus-Scanned: amavis at iris.zentaur.org
Received: from iris.zentaur.org ([127.0.0.1]) by iris.zentaur.org (iris.zentaur.org [127.0.0.1]) (amavis, port 10026) with ESMTP id d3LpS8Jawq90 for <oauth@ietf.org>; Sun, 20 Jul 2025 19:31:45 +0000 (UTC)
Received: from [192.168.72.107] (unknown [136.50.119.16]) by iris.zentaur.org (Postfix) with ESMTPSA id 4blYYs1Zskz3wZv for <oauth@ietf.org>; Sun, 20 Jul 2025 19:31:45 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------BALVxe1zK0P0zcv56eBvbJJu"
Message-ID: <5a470426-e672-4fff-8613-d737ea953b3b@emeraldgroupware.org>
Date: Sun, 20 Jul 2025 14:31:45 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: oauth@ietf.org
References: <CO1PR18MB4684BC45FBE014EA54D9F1FBD952A@CO1PR18MB4684.namprd18.prod.outlook.com> <188ea416-85c2-42d1-84a4-e4b504b7105a@emeraldgroupware.org> <d9a9f658-7391-490e-80e9-b587b0642553@Spark>
Content-Language: en-US
From: Clinton Bunch <cdbunch@emeraldgroupware.org>
In-Reply-To: <d9a9f658-7391-490e-80e9-b587b0642553@Spark>
Message-ID-Hash: XT6QIEMJ7HNTYN6XHYSKUTHVSDOPO3JD
X-Message-ID-Hash: XT6QIEMJ7HNTYN6XHYSKUTHVSDOPO3JD
X-MailFrom: cdbunch@emeraldgroupware.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for Mail, Calendar, and Contact Access
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6RhkV5R9k6KCTS4FCF-TIDYmvkw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I agree that the document scope should be expanded to include RAR profiles. This granularity of OAUTH scopes I've specified is in line with what I have been asked to approve before as a user. To get much more granular than that would be an explosion of scopes and would be re-inventing the wheel. It could actually be argued that the individual scopes I've specified are *too* granular and their restrictions is in some cases not implemented at this time. I believe dovecot, for example, takes no notice of the scopes defined for a token. It might be that just the composite scopes are used and RAR support allowed to grow as it can. This isn't a new API being designed we're talking about. We're trying to shoehorn in a modern authentication method into 30, even 40+ year old protocols, with dozens of implementations and thousands of instances. Some of those implementations have done the bare minimum to implement OAUTH, but RAR support is going to take time. Something needs to fill that gap, or the chicken and egg problem will never be solved leaving smaller providers and implementers at a distinct disadvantage in the marketplace. At this point, not even all AS implementations support RAR RAR notwithstanding, we may never be rid of scopes in OAUTH, just as despite it flaws we're still using SMTP after more than 40 years. On 7/20/2025 13:37, torsten@lodderstedt.net wrote: > RAR adoption is a typical hen or egg problem. The more API designers > and spec writers adopt RAR, the more RAR will be supported in > products. What I can you from experience, RAR can be implemented on > top of products as it an additional parameter. > If you as domain expert believe static scope values are sufficient, > you should pursue your proposal. > If there is a need to have any context/dynamic values in the „scope“ > to be authorized, you need to encode this somehow. You can do it your > way or adopt something that has already proven to work in practice and > is available as an RFC. > > best regards, > Torsten. > Am 20. Juli 2025, 19:43 +0200 schrieb Clinton Bunch > <cdbunch@emeraldgroupware.org>: >> I had read the blog post and I think my proposal fits well with its >> intent. It specifically says that scopes are not for the fine >> grained access control that Warren wants and that that should >> properly be the purview of the resource server. >> >> While a quick look at RAR points to the fact that a specification >> would be beneficial, it also appears that support for RAR is >> lagging. So until authorization servers, resource servers, and >> clients all support RAR, some kind of scope context is going to >> continue to be needed. >> >> That kind of "universal" support in a decoupled ecosystem like >> e-mail, calendars, and contacts is going to take time. >> >> So, while I agree expanding the scope of the draft to include >> standard RAR profiles is a good idea, I don't believe dropping the >> scopes would be a good idea at this time. Doing so could easily >> hamstring widespread support of advanced authentication for these >> services for many years. >> >> On 7/20/2025 04:01, Lombardo, Jeff wrote: >>> >>> To add to Warren point, it is important to reup feu Vittorio >>> Bertocci blog entry on the nature of OAuth2 scopes that cover >>> exactly this use case: >>> https://auth0.com/blog/on-the-nature-of-oauth2-scopes/ >>> >>> I think this proposal instead of building on top of the `scope` >>> claim should pivot into profiling *OAuth 2.0 Rich Authorization >>> Requests* (https://datatracker.ietf.org/doc/html/rfc9396) >>> >>> *Jean-François “Jeff” Lombardo*| Amazon Web Services >>> >>> // >>> >>> On Sun, Jul 20, 2025 at 08:19 AM Warren Parad <wparad@rhosys.ch> wrote >>> >>> I have some serious problems with this document: >>> >>> - I fundamentally disagree about the scopes defined for mail, calendar, >>> >>> and contact. One of the biggest problems with the scopes today, is >>> the lack >>> >>> of the scope "update/modify/delete BUT only the emails, contacts, and >>> >>> calendar meetings that the app has created". I don't want to give >>> *access >>> >>> to delete all my calendars* just so an app can *create calendar >>> >>> appointments in one calendar*. >>> >>> For me, scopes for calendar and contacts are already broken by >>> design, and >>> >>> this document actually makes it worse. Take the scope >>> >>> *urn:ietf:params:oauth:scope:calendar:update:* >>> >>> > Grants permission to create, modify, and delete calendars and events on >>> >>> > the user's behalf. >>> >>> The creation, modification, and deletion of calendars must be completely >>> >>> independent from the creation, modification, and deletion of >>> calendars. And >>> >>> most problematically, *as a user*, I would only want to give access >>> to do >>> >>> this one calendar at a time. Because of this we really need to define >>> >>> resource based syntax inside of OAuth spec to replace the scopes. >>> >>> In conclusion, this document only sets out to standardize the >>> irresponsible >>> >>> behavior of apps utilizing scopes today, cementing the current paradigm >>> >>> rather than replacing it with something that actually works correctly. >>> >>> Using OAuth scopes alone for this access, is the part that is wrong, not >>> >>> that it isn't standardized. In some cases, an incremental approach might >>> >>> help get to the perfect solution, but I don't see this document >>> helping to >>> >>> make that happen. If it does anything for me, this prevents forward >>> >>> progress in preference of keeping exactly what we already have. >>> >>> On Sun, Jul 20, 2025 at 7:42 AM Clinton Bunch >>> <cdbunch@emeraldgroupware.org> >>> <mailto:<cdbunch@emeraldgroupware.org>> >>> >>> wrote: >>> >>> > I submitted >>> https://datatracker.ietf.org/doc/draft-bunch-groupware-scopes/ >>> <https://datatracker.ietf.org/doc/draft-bunch-groupware-scopes/> >>> >>> > >>> >>> > This is a proposal of standard OAUTH2 scopes to support the loosely >>> >>> > coupled world of mail, calendaring, and contacts servers and clients. >>> >>> > >>> >>> > The current state is that every Authorization Server defines their own >>> >>> > scopes for these groupware services, leading client developers to hard >>> >>> > code these scopes, which, in practicality, limits them to supporting >>> >>> > OAUTH2 authentication for only a dozen or so providers big enough to >>> >>> > strong arm them into it. >>> >>> > >>> >>> > This is the remaining barrier to wide spread deployment of OAUTH2 >>> >>> > authentication for groupware services. The other half of the problem, >>> >>> > Client Registration, is solved by RFC 7591, OAuth 2.0 Dynamic Client >>> >>> > Registration Protocol. >>> >>> > >>> >>> > With these two pieces in place, Authorization Servers and clients can >>> >>> > begin to implement this advanced authorization process. >>> >>> > >>> >>> > _______________________________________________ >>> >>> > OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> >>> >>> > To unsubscribe send an email to oauth-leave@ietf.org >>> <mailto:oauth-leave@ietf.org> >>> >>> > >>> >>> >>> _______________________________________________ >>> OAuth mailing list --oauth@ietf.org >>> To unsubscribe send an email tooauth-leave@ietf.org >> >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org > > _______________________________________________ > OAuth mailing list --oauth@ietf.org > To unsubscribe send an email tooauth-leave@ietf.org
- [OAUTH-WG] Standardized OAuth 2.0 Scopes for Mail… Clinton Bunch
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Warren Parad
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Lombardo, Jeff
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … torsten@lodderstedt.net
- [OAUTH-WG] Re: [mailmaint] Standardized OAuth 2.0… Kenneth Murchison
- [OAUTH-WG] Re: [mailmaint] Standardized OAuth 2.0… Clinton Bunch
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … torsten@lodderstedt.net
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Clinton Bunch
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Clinton Bunch
- [OAUTH-WG] Re: [mailmaint] Re: Standardized OAuth… Ben Bucksch
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Clinton Bunch
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Dick Hardt
- [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for … Dick Hardt