Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

William Mills <wmills@yahoo-inc.com> Sat, 21 January 2012 05:03 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9EE621F8499 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 21:03:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.412
X-Spam-Level:
X-Spam-Status: No, score=-17.412 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEaZwU2fG7vh for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 21:03:00 -0800 (PST)
Received: from nm39-vm2.bullet.mail.ne1.yahoo.com (nm39-vm2.bullet.mail.ne1.yahoo.com [98.138.229.162]) by ietfa.amsl.com (Postfix) with SMTP id 1868C21F8498 for <oauth@ietf.org>; Fri, 20 Jan 2012 21:02:59 -0800 (PST)
Received: from [98.138.90.56] by nm39.bullet.mail.ne1.yahoo.com with NNFMP; 21 Jan 2012 05:02:56 -0000
Received: from [98.138.89.245] by tm9.bullet.mail.ne1.yahoo.com with NNFMP; 21 Jan 2012 05:02:56 -0000
Received: from [127.0.0.1] by omp1059.mail.ne1.yahoo.com with NNFMP; 21 Jan 2012 05:02:56 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 805731.37815.bm@omp1059.mail.ne1.yahoo.com
Received: (qmail 16876 invoked by uid 60001); 21 Jan 2012 05:02:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1327122176; bh=kZej4mjyPTW/qbqU4Xo4Px7NOtiP3ZAPQrRQiWBPBLo=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Ic+hi499vnsPgNkAiaZdMD9JuXv/Xt7GA3v9NT2DDvjJ/r2VmvIE2+yAoHHe85bfof4Tuy3Vwf3jdOdJ4VyyrMsj0HGiM904MwwkEieHtkbWdiaWMCyv3cWvc6k809mUSjsXgKBccx4T+2zlNIxSWbEUAF/+iZs3fgt7Lmz1RPQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=r6xLoqTTZebLZq0MxPLrWQ0Ai0XhXuD1iRM/dOfqIf9Bi9N5bUzRixJiJkqqXWv92HWpIo/nTwIDWNFWyIOXqSrgxbXzKNwPCmeDGpzLF0tPRHcOFbK1PemehdbdcnWHJ+ZI0ug/3ftoNrXj4UCeeu2iqdjsVQOYQgHC0KoI8Qw=;
X-YMail-OSG: DHUrL_oVM1npNoLg85za8..L1V_uiSU29XssbTnQMoBFVs0 qEKXp2_Ix7gPr_AQdOizUBnqbgi11LNw2ufALgGfSvVpYkm1U8Wr4HHIBvG1 nl0_w7WwPEl3mUd17YE4GlDr9c.RQ0A2BQ1Je6WMW5CzCe5phamJYVpUm_pM OOUHPc0VwMVCd9xAaomzpZe6qMAaV0O.lDOwLJvUlZrXaujndBBdYVej6P.r gLyn41v2jueJCf56FN2A98GS1FzRtXgUgLq6cPW8Fg7lfPo_E9nZoQleekkT gqwuIycgO64gTDv900weLuRvBN.IwWzR2SdyvySmfF8rb8SQaVeozdRuMRdT 6Fra0px4N65Z.3Wmm7MCz2zd6ciJy5c5JO_n1PqUG4QXPNa_t4yQ9n30tTe. bZLCT67HKE02iHItx54in.XGaXrM6eDESTlSpmqaO6zfH4EYzcNf3UpIaJuT P4C4d1rxIbRRYJvNfmFWV9p9J6wpJZ.vMOsP4yhvWzL.x
Received: from [99.31.212.42] by web31809.mail.mud.yahoo.com via HTTP; Fri, 20 Jan 2012 21:02:56 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.338427
References: <CAG+j4TrQGwiDj01huDgfEy+02b4=tTDYifiXcvhDHrw3i32-6Q@mail.gmail.com> <6.2.5.6.2.20120109070921.0aec8d00@resistor.net> <CAG+j4TrFoxvMMK_Bx=0e1qFLjUmKKaEmJD6hBnR06H6Fm75xfw@mail.gmail.com> <6.2.5.6.2.20120109153323.0ab3bf80@resistor.net> <CAG+j4TpuO0N7n9xxB=3mh7EZhsjXDtB2DPa0S8BBJmhV_mv4Xw@mail.gmail.com> <1326156786.88572.YahooMailNeo@web31812.mail.mud.yahoo.com> <CAG+j4TrUGtua8umh+GqJM_i6OeZrwHy7NwoGK1dTYGpHBuuV2Q@mail.gmail.com> <1326160314.71861.YahooMailNeo@web31806.mail.mud.yahoo.com> <CAG+j4TrkXE_N6T35LaApswKJMRzNmBYbB_CnqUi37s6sK5nQAw@mail.gmail.com> <1326162276.40306.YahooMailNeo@web31811.mail.mud.yahoo.com> <CAG+j4TqhGi_0Z=C7gPbxAx6L7DV-NeLCewYyc4T-SbfdfWR=GA@mail.gmail.com> <1326215997.44445.YahooMailNeo@web31816.mail.mud.yahoo.com> <6.2.5.6.2.20120110104038.099f1ba8@resistor.net> <E300DA82-5DB9-4768-AF21-D30B15ECB4D0@oracle.com> <90C41DD21FB7C64BB94121FBBC2E723453A72D0F24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1326240141.98332.YahooMailNeo@web31808.mail.mud .yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723453A72D0F60@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1326268674.20557.YahooMailNeo@web31807.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723453AAB964E7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Message-ID: <1327122176.2902.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Fri, 20 Jan 2012 21:02:56 -0800 (PST)
From: William Mills <wmills@yahoo-inc.com>
To: Eran Hammer <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AAB964E7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1395015409-2109497095-1327122176=:2902"
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jan 2012 05:03:02 -0000

Works for me.



________________________________
 From: Eran Hammer <eran@hueniverse.com>
To: William Mills <wmills@yahoo-inc.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Friday, January 20, 2012 12:32 PM
Subject: RE: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
 

New text added to Access Token Scope section:
 
          If the client omits the scope parameter when requesting authorization, the authorization
          server MUST process the request using a pre-defined default value, or fail the request
          indicating an invalid scope. The authorization server SHOULD document its scope
          requirements and default value (if defined).
 
 
EHL
 
From:William Mills [mailto:wmills@yahoo-inc.com] 
Sent: Tuesday, January 10, 2012 11:58 PM
To: Eran Hammer; oauth@ietf.org
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
 
"Null string", "empty string", or "server defined default value" all work.  Default scope doesn't do it for me.
 

________________________________

From:Eran Hammer <eran@hueniverse.com>
To: William Mills <wmills@yahoo-inc.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Tuesday, January 10, 2012 5:24 PM
Subject: RE: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
 
I don’t like ‘empty scope’ as it is undefined. I prefer ‘default scope’.
 
EHL
 
From:William Mills [mailto:wmills@yahoo-inc.com] 
Sent: Tuesday, January 10, 2012 4:02 PM
To: Eran Hammer; oauth@ietf.org
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
 
On your #1, I don't agree that an empty scope is useless.  There are comparable implementations that use an empty scope to be a wildcard scope.  I'd say, 
 
"The client can MAY include or omit the scope parameter. If omitted, the server must process the request using an empty scope as the default.  The server then processes the request either issuing a grant with it's default scope as defined by the server or failing the request indicating an invalid scope requested."
 
That language isn't quite right, but I think it's clear.
 

________________________________

From:Eran Hammer <eran@hueniverse.com>
To: "oauth@ietf.org" <oauth@ietf.org> 
Sent: Tuesday, January 10, 2012 1:15 PM
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

I don't think the issue here is about the scope value, but who does the OPTIONAL designation applies to. IOW, is it optional for the server to support/require it, or is it optional for the client to include or omit it.

The intention was to make it optional for the authorization server to make all decisions about the parameter, including making it required. But the text is confusing since the text is aimed directly at the client when making the request.

We need to clarify this and the options are:

1. The client can decide if they want to include or omit the scope parameter. If omitted, the server must process the request using some documented default scope. This default scope can be an empty scope rendering the token useless for anything other than verifying user authentication.

2. The server can declare scope to be a required parameter in which case the client must include it or the request will fail. In this case, we should make the text clearer that clients to find out if the particular server requires it.

#1 is better for interoperability, #2 is more in the spirit of the parameter discussions so far.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Phil Hunt
> Sent: Tuesday, January 10, 2012 11:33 AM
> To: SM
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in
> Specification
> 
> The underlying issue is that there was a decision not to in any way
> standardize values for scope.
> 
> I agreed this was reasonable since the underlying resource APIs are likely to
> be very specific requiring some degree of prior knowledge by the client app
> developer. Thus the resource server OAuth infrastructure is free to decide
> what are and are not acceptable values including missing or null values for
> scope.
> 
> I think the specification is acceptable as it is.
> 
> I note that other specifications that layer on top of OAuth2 such as OpenID
> Connect may choose to strictly define acceptable values for scope. This type
> of layering works well in my opinion.
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
> 
> 
> 
> 
> On 2012-01-10, at 10:56 AM, SM wrote:
> 
> > At 09:19 10-01-2012, William Mills wrote:
> >> That does clear it up!  If the implementation returns a proper error when
> the scope is omitted then it will be in conformance.  Sending an error result
> for the empty scope is valid.
> >
> > Yes.
> >
> > It is not possible to get a clear view of the specs if the discussion about
> "ambiguity" relies on the meaning of the word "OPTIONAL" only.  If there is a
> problem, then clarifying text could be used to fix it instead of changing the
> requirements.
> >
> > Regards,
> > -sm
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth