IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Justin Richer <jricher@mitre.org> Mon, 15 April 2013 13:54 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82A7E21F93B7 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 06:54:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCuMshlNZYQB for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 06:54:48 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 93BC921F86C5 for <oauth@ietf.org>; Mon, 15 Apr 2013 06:54:48 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1D6D51F0540; Mon, 15 Apr 2013 09:54:48 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 0D4BD1F0330; Mon, 15 Apr 2013 09:54:48 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 15 Apr 2013 09:54:47 -0400
Message-ID: <516C069F.9090308@mitre.org>
Date: Mon, 15 Apr 2013 09:54:39 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com>
Content-Type: multipart/alternative; boundary="------------050909090700000206030109"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 13:54:49 -0000

You are correct that the idea behind the "scope" parameter at 
registration is a constraint on authorization-time scopes that are made 
available. It's both a means for the client to request a set of valid 
scopes and for the server to provision (and echo back to the client) a 
set of valid scopes.

I *really* don't want to try to define a matching language for scope 
expressions. For that to work, all servers would need to be able to 
process the regular expressions for all clients, even if the servers 
themselves only support simple-string scope values. Any regular 
expression syntax we pick here is guaranteed to be incompatible with 
something, and I think the complexity doesn't buy much. Also, I think 
you suddenly have a potential security issue if you have a bad regex in 
place on either end.

As it stands today, the server can interpret the incoming registration 
scopes and enforce them however it wants to. The real trick comes not 
from assigning the values to a particular client but to enforcing them, 
and I think that's always going to be service-specific. We're just not 
as clear on that as we could be.

After looking over everyone's comments so far, I'd like to propose the 
following text for that section:


    scope
       OPTIONAL.  Space separated list of scope values (as described in
       OAuth 2.0Section 3.3 [RFC6749]  <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when
       requesting access tokens.  As scope values are service-specific,
       the Authorization Server MAY define its own matching rules when
       determining if a scope value used during an authorization request
       is valid according to the scope values assigned during
       registration. Possible matching rules include wildcard patterns,
       regular expressions, or exactly matching the string. If omitted,
       an Authorization Server MAY register a Client with a default
       set of scopes.


Comments? Improvements?

  -- Justin


On 04/14/2013 08:23 PM, Manger, James H wrote:
> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.
>
> So ideally registration should accept rules for matching scopes, as opposed to actual scope values.
>
> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").
>
> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.
>
> --
> James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email