Re: [OAUTH-WG] Issue: Scope parameter

[Eran Hammer-Lahav <eran@hueniverse.com>]

Don't they need to pass any other extension parameter around too? What makes this one so special?

EHL


On 4/15/10 12:20 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:

I still have not seen any arguments why scope structure is needed for
interop. Client and server side libraries do not need to understand
the scope, they just pass it around. Client and server code do need to
understand the scope, but we are not dealing with that.

Yes, a scope parameter does not buy much, it only prevents each authz
server from inventing their own custom parameter.

Marius



On Thu, Apr 15, 2010 at 12:07 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> WRAP includes a loosely defined scope parameter which allows for
> vendor-specific (and non-interoperable) use cases. This was requested by
> many working group members to be included in OAuth 2.0 with the argument
> that while it doesn't help interop, it makes using clients easier.
>
> The problem with a general purpose scope parameter that is completely
> undefined in structure is that it hurts interop more than it helps. It
> creates an expectation that values can be used across services, and it
> cannot be used without another spec defining its content and structure. Such
> as spec can simply define its own parameter.
>
> In addition, it is not clear what belongs in scope (list of resources,
> access type, duration of access, right to share data, rights to
> re-delegate).
>
> The rules should be that if a parameter cannot be used without another
> documentation, it should be defined in that other document.
>
> Proposal: Request proposals for a scope parameter definition that improve
> interop. Otherwise, keep the parameter out of the core spec.
>
> EHL
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>