IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

John Kemp <john@jkemp.net> Thu, 22 April 2010 19:04 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43DFA3A6C7D for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7lzPgks2WSw for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:04:48 -0700 (PDT)
Received: from outbound-mail-313.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 4E8E228C1AD for <oauth@ietf.org>; Thu, 22 Apr 2010 11:39:21 -0700 (PDT)
Received: (qmail 23246 invoked by uid 0); 22 Apr 2010 18:39:11 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 22 Apr 2010 18:39:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=SjJqmbg3TSM6bxR3OOcH9FwemPmoh0SMqnD+2K36DIUZe3CWGtj7iEa704TgDpzRKGp6hSldX8FDxFNC2ilFnrqmSuYRQocumS8fTvYdWWh46N+wjgFhE27Q8tyIzeXG;
Received: from c-75-69-14-217.hsd1.vt.comcast.net ([75.69.14.217] helo=[192.168.0.64]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1O51It-00016x-11; Thu, 22 Apr 2010 12:39:11 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <g2mdaf5b9571004221036j5d6837f6z4d7959d69a3cbb2b@mail.gmail.com>
Date: Thu, 22 Apr 2010 14:39:08 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <BB02FD4F-071E-4FF5-B3D0-F8D3FA22FEEE@jkemp.net>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <g2mdaf5b9571004221036j5d6837f6z4d7959d69a3cbb2b@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 75.69.14.217 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 19:04:49 -0000

Hi Brian,

On Apr 22, 2010, at 1:36 PM, Brian Eaton wrote:

> On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>>> The scope doesn't have to match the base URI of the resource which the
>>> client tried and got the 401 from?
>> 
>> That's a security issue we need to address (when to trust the resource server and reuse an existing token). We need to figure it out either way.
> 

[...]

> I'd rather we didn't put stuff in the OAuth 2 spec that we aren't 100%
> sure is going to work.  Ideally there should be lots of examples in
> production.

I agree.

> 
> I do like the idea of defining the scope parameter to be a delimited
> list of otherwise opaque strings.

So what we get in OAuth is simply an agreed parameter name in which to carry a list of opaque strings which might be used in any way imaginable (ie. not documented by the spec, no model in relation to the token) with usage model basically as decided by the various parties at deployment time. 

I'm not really seeing the *interoperability* value of that at all without some more rigorous description of the underlying model (note: I'm not saying we should necessarily make that model, but merely that without any described model, you don't have very much interoperability) 

>  Several service providers have
> already adopted this approach, and it seems to work reasonably well.

I agree that 'scope' is something that many SPs want. If they don't want it roughly the same way though (something more than a "bucket of opaque strings with a standard name") I don't know if I understand the point to standardizing it. 

Even those who write libraries won't get much value since they'll have to provide an extension point to do whatever is needed according to the particular deployment here anyway, and that extension point could already exist without the existence of an already-named parameter for "scope" functionality. 

[...]

- johnk

v2.23.0 | Report a Bug | By Email