Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Thomas Broyer <t.broyer@gmail.com> Wed, 27 January 2016 16:07 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63271A8A13 for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:07:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bsvv0Xzv0sKx for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:07:57 -0800 (PST)
Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE09E1A8A0D for <oauth@ietf.org>; Wed, 27 Jan 2016 08:07:55 -0800 (PST)
Received: by mail-lf0-x22e.google.com with SMTP id 17so9163195lfz.1 for <oauth@ietf.org>; Wed, 27 Jan 2016 08:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=FIJ+ut7hb2SfZyGKO6bIb+krrFv7dHChrcMG6x6eVf0=; b=AErE8oGeXwpULNzlqxKLfdZYiBs1+PkX0mnQMJsy1TgBTmpT4e67lJZXvcXj6zVgcl 8x+RUoFLiBGJkaXK6IGykUwFfN/mexd1xDYkxdmLWiRAjkl/8l01CyEHi/Te1el5pbEX 0zGuNiengelMMhJqlZP5s5zvBMhAntBukmx8KvQWr5+vAfgsM6ehZ7yIvG5vXOULIaAW dVvsVKOnS1xYq94GKvp3+XbDDo7OTbOBp4LGI6YbdvWcdIeeCrN5mRnm5pBrv23Lwktz GzULmgTmzRai8ADHrNHk6kmkrfR7kqNo2OTX+xaM0vpSO1lU6fPDsV5ZFUrreHPxz+sq oSkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=FIJ+ut7hb2SfZyGKO6bIb+krrFv7dHChrcMG6x6eVf0=; b=AxRYx6PBGWj760IMXbKnJs/kXcZVXh5+RwPhj/GTKIjal9QCJB3Azrpm+vguHedUVQ NzBD6cgA8VVUaNjhYYSOBF4C4cbAMc3q7/Sk1i1eaB6Royq8w65Z6oushij6npGcPn85 5weke6vaEwMR/cuRR51ZHp0Ab7rm/j7G7sEGp8XEaMgcI3tNIIDkoMG0N+yZEZ+IZwag qllokqIMyDsgWfxFWZFAobGtR9fHO+iTQ2cimYyX9ja9N0wWkN3ci8O8nB9QPiO5q50S mtn/s8qx6xhRvixIuCxdv0OS5PmXzMUAgO7wAQY/1AWLrRAXaAfO35QFiwKUgF63LvxY nuYA==
X-Gm-Message-State: AG10YOQEQwRMAjRyh2B0zS68NchEMpiD7+oU5ChAWdxohbGbsx+cPiikKrb/U9YG8V45duPCiZzvFy7SXxbjGA==
X-Received: by 10.25.152.199 with SMTP id a190mr12116989lfe.133.1453910874128; Wed, 27 Jan 2016 08:07:54 -0800 (PST)
MIME-Version: 1.0
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com> <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com> <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com> <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com> <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com>
In-Reply-To: <56A8BE1B.2080404@aol.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 27 Jan 2016 16:07:43 +0000
Message-ID: <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
To: George Fletcher <gffletch@aol.com>, Sergey Beryozkin <sberyozkin@gmail.com>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=001a11403466300760052a530153
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/6s7G_H6aSN14wsEKoxvzW1sbTpU>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 16:07:59 -0000

On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com>; wrote:

> The difference might be whether you want to store the scope consent by
> client "instance" vs client_id application "class".
>

Correct me if I'm wrong but this only makes sense for "native apps", not
for web apps, right?
(of course, now with "installable web apps" –e.g. progressive web apps–,
lines get blurry; any suggestion how you'd do it then? cookies?)