[OAUTH-WG] Few questions about client_credentials

Sergey Beryozkin <sberyozkin@gmail.com> Thu, 01 March 2012 16:39 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6213B21E8133 for <oauth@ietfa.amsl.com>; Thu, 1 Mar 2012 08:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7FF+xOSM-gU for <oauth@ietfa.amsl.com>; Thu, 1 Mar 2012 08:39:16 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 83BFE21E80B8 for <oauth@ietf.org>; Thu, 1 Mar 2012 08:39:16 -0800 (PST)
Received: by bkuw5 with SMTP id w5so810608bku.31 for <oauth@ietf.org>; Thu, 01 Mar 2012 08:39:15 -0800 (PST)
Received-SPF: pass (google.com: domain of sberyozkin@gmail.com designates 10.204.152.7 as permitted sender) client-ip=10.204.152.7;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of sberyozkin@gmail.com designates 10.204.152.7 as permitted sender) smtp.mail=sberyozkin@gmail.com; dkim=pass header.i=sberyozkin@gmail.com
Received: from mr.google.com ([10.204.152.7]) by 10.204.152.7 with SMTP id e7mr3169135bkw.70.1330619955735 (num_hops = 1); Thu, 01 Mar 2012 08:39:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=BLUP0AdEbn+KDQdBvo7VReKCKhXPvGMG3BhqJNp1fxU=; b=EgBYp84BHBhEOWmC496FkK/b+MEDAD8i3DYHiF3WtSCBWnLqVw7xEBIXdWasaXKFeT jFF469lz3ikqzSBePb67af2e1tZqmZW6DcfQ1DD9gMcT1GCdq+0U5H7BBk3r2ZXsnbpe JeZJvbSDIzrrNJG/7rUv62rHLjoUOanDzMukI=
Received: by 10.204.152.7 with SMTP id e7mr2548796bkw.70.1330619955646; Thu, 01 Mar 2012 08:39:15 -0800 (PST)
Received: from [10.36.226.4] ([217.173.99.61]) by mx.google.com with ESMTPS id t17sm4618806bke.6.2012.03.01.08.39.12 (version=SSLv3 cipher=OTHER); Thu, 01 Mar 2012 08:39:12 -0800 (PST)
Message-ID: <4F4FA62F.7010404@gmail.com>
Date: Thu, 01 Mar 2012 16:39:11 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <E33E01DFD5BEA24B9F3F18671078951F156D8F4B@szxeml534-mbx.china.huawei.com> <4F3BB6B8.1030501@mitre.org>
In-Reply-To: <4F3BB6B8.1030501@mitre.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Few questions about client_credentials
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 16:39:17 -0000

Hi,

I have few questions about the client_credentials grant type.
Section 4.4 [1] says: "...client is requesting access to the protected 
resources under its control, or those of another resource owner..."

What I do not understand is the latter part of the above statement, how 
to establish a link between the client authentication (which is an 
actual grant in this case) and different resource owners given that the 
only thing we have is the client authentication. As far as I can see it 
is only possible to get a one to one link with the end user in this case.

Can someone please clarify what is meant by "those of another resource 
owner" phrase ?

The other question is about an optional scope parameter. It has to be 
ignored in case of the client requesting a token for accessing its own 
resources, right ?

Thanks, Sergey



[1] http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-4.4