Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

John Bradley <ve7jtb@ve7jtb.com> Thu, 28 January 2016 12:24 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D861B3CB6 for <oauth@ietfa.amsl.com>; Thu, 28 Jan 2016 04:24:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nVcLNTKRI91z for <oauth@ietfa.amsl.com>; Thu, 28 Jan 2016 04:24:24 -0800 (PST)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E2951B3CB2 for <oauth@ietf.org>; Thu, 28 Jan 2016 04:24:23 -0800 (PST)
Received: by mail-qg0-x22a.google.com with SMTP id 6so35282821qgy.1 for <oauth@ietf.org>; Thu, 28 Jan 2016 04:24:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=6rTVJjnG5+JkcZErAWzHO038kywZzW7OKlsrmBHmH3E=; b=mPvD/p363ek8nfpD/sjQpnpjeptqQ0V4IRkMzXCBXULnOlBHRfiVMb+9uYc6GbUtvl lrF13Zk4u/8VvLe13O5R2CZ5I02nqniX8KF/wX/2s1izO4T3Pj/6kzyU/wq+2rEhiFP4 2UBLe7EvYymaNZqu7IE2UhYheRqNcqkPihXkRYVnkMyDXGnbzHpN+ClCFBL3QymsGlbc mGKmflBnYnlUK3iah/yRGM3N3kZfa47aBijOPOrnMjSjIAJJ9fbKAPtov/XMyiusM8l6 z5IKzBB2Erl1B4eOxox9OpNTZUFcw2tL/TiJulVDbMT3qdGqZIc4m/iSStLDqgWqNnjC IHQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=6rTVJjnG5+JkcZErAWzHO038kywZzW7OKlsrmBHmH3E=; b=a8iaNAw6SMzMRtVy5aEHa4BgPzZd+QCxJXlKNtcoZ8ZZ+JwbQRZbCLi4c8gSEBSY5m l3uZmZIK3o8xRgyfFYM6FUcOxBDUaAIArfGFS8WlnODJVOEaQIcKTJVgnRtH5T4F2rAi UXhzRbcdW098Ol5kSxjq3GkeBFzxHqnlF1DIV9LRDvJngyECCpAFo/8UBl0U+q4QrRnj ayexgF0E4puQpNtWSq43NLYy51Fypaf40SyC+CK0p5NpU9JRjyx5CugYpWXvtXVZf49j H1q7/75O7hwn4mcWzRPztcsJCwiJfVfmuYDoviV0QKyMpKNYanUdojbWY0rgDbPaDtXZ tyHQ==
X-Gm-Message-State: AG10YOTpZYi0OSVx95GCXNNjSHlJPRn8reM8AqRgBK+JoiR8YNnFdqp9pn0q6DPZ/pKafQ==
X-Received: by 10.140.146.136 with SMTP id 130mr2524860qhs.92.1453983862981; Thu, 28 Jan 2016 04:24:22 -0800 (PST)
Received: from [192.168.1.35] ([191.115.49.204]) by smtp.gmail.com with ESMTPSA id l129sm1230003qhc.24.2016.01.28.04.24.20 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 28 Jan 2016 04:24:22 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_AE1824E0-D94E-48AC-B1D2-B7D1A63EEB9B"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
Date: Thu, 28 Jan 2016 09:24:17 -0300
Message-Id: <E4FE9AE7-2EDB-426B-98FE-25ADF85F3A3E@ve7jtb.com>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com> <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com> <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com> <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com> <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com> <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
To: Thomas Broyer <t.broyer@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/B-Dmpzfsl53iT31MADjbkFb_bD8>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 12:24:27 -0000

No web clients often make use of sticky grants.   Sharing client_id amongst multiple instances is a native app thing, but stick grants work best with confidential clients.

It is to some extent a UI decision by the AS, to tell the user you have already granted A & B , they are asking to add C,  or re-prompt the user for A, B and C without giving the context.

The other thing to consider is implicit clients without refresh tokens.   

If the client is JS in the browser then if you remember the grants the JS can do a prompt=none flow to refresh an expired AT in the background as long as the browser has a session with the AS.

If you are using an implicit client and don’t support sticky grants, you wind up having to have AT that have a lifetime grater than what is optimal.

John B.

> On Jan 27, 2016, at 1:07 PM, Thomas Broyer <t.broyer@gmail.com>; wrote:
> 
> 
> 
> On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
> The difference might be whether you want to store the scope consent by client "instance" vs client_id application "class".
> 
> Correct me if I'm wrong but this only makes sense for "native apps", not for web apps, right?
> (of course, now with "installable web apps" –e.g. progressive web apps–, lines get blurry; any suggestion how you'd do it then? cookies?)
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth