IETF Logo Mail Archive

Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Thu, 24 June 2010 10:58 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40E8C3A6875 for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 03:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.709
X-Spam-Level:
X-Spam-Status: No, score=-0.709 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEAqn8W5xEQQ for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 03:58:48 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by core3.amsl.com (Postfix) with ESMTP id 17CC73A6784 for <oauth@ietf.org>; Thu, 24 Jun 2010 03:58:47 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o5OAwrD2001396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 24 Jun 2010 12:58:53 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o5OAwq9N026192; Thu, 24 Jun 2010 12:58:52 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 24 Jun 2010 12:58:51 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 24 Jun 2010 13:58:09 +0300
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4502869858@FIESEXC015.nsn-intra.net>
In-Reply-To: <AANLkTild51WHVcXxYFCygL8sGSGiN3HILDFwIbym6Lfi@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
Thread-Index: AcsTcbz92OrLiBAWTqqVkquX92WR0QAGETTQ
References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net><E7A7F197-3BBC-43F2-8242-D0164057A39A@gmail.com> <AANLkTild51WHVcXxYFCygL8sGSGiN3HILDFwIbym6Lfi@mail.gmail.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Lukas Rosenstock <lr@lukasrosenstock.net>, Dick Hardt <dick.hardt@gmail.com>
X-OriginalArrivalTime: 24 Jun 2010 10:58:51.0750 (UTC) FILETIME=[3B10D860:01CB138C]
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2010 10:58:49 -0000

The question is whether one would ever want to have a standardized semantic for the scope parameter. 
If the answer to that question is "no" then it does not matter what the format is. It can well be a list of  space-delimited strings (as it is currently defined). 

An evironment specific semantic works well in cases where entity X sets the value and later it receives the value again. Only entity X needs to understand what it means.

In some environments the use case is slightly different, namely entity X and entity Y are from the same organization and agree on the semantic. Usage of OAuth within an enterprise might be such a case. 

Now, the usage of the scope parameter is, however, a bit different in the spec. Section 4, for example, describes how a client obtains an access token. How does the client know what scope parameters to set and what the semantic is?

Ciao
Hannes

> -----Original Message-----
> From: ext Lukas Rosenstock [mailto:lr@lukasrosenstock.net] 
> Sent: Thursday, June 24, 2010 10:49 AM
> To: Dick Hardt
> Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG
> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
> 
> Wasn't there some concensus that URIs would be good for scope? They
> have "in-built namespacing" ...
> 
> Lukas
> 
> 2010/6/23 Dick Hardt <dick.hardt@gmail.com>:
> >
> > On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN - 
> FI/Espoo) wrote:
> >
> >> "
> >>   scope
> >>         OPTIONAL.  The scope of the access request 
> expressed as a list
> >>         of space-delimited strings.  The value of the 
> "scope" parameter
> >>         is defined by the authorization server.  If the 
> value contains
> >>         multiple space-delimited strings, their order does 
> not matter,
> >>         and each string adds an additional access range to the
> >>         requested scope.
> >> "
> >>
> >> Do folks think it would be useful to have standardized values?
> >
> > Not at this time. The semantics of scope are all over the 
> place. If standardized, people will feel they need to pick 
> one that is close to what they want, but is not exactly what 
> they mean. I think it is better for the AS to define what 
> they mean by a scope and give it a name that makes sense in 
> that context.
> >
> >>
> >> If the answer is "yes", then it would be useful to 
> differentiate the
> >> standardized values from those values that are purely 
> defined locally by
> >> the authorization server.
>

v2.43.4 | Report a Bug | By Email | System Status