IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Justin Richer <jricher@mitre.org> Mon, 15 April 2013 14:16 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C2F321F9440 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlNWQoCKLJpN for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:16:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4313521F93F3 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:16:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D65E61F06D0; Mon, 15 Apr 2013 10:16:05 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C83811F026C; Mon, 15 Apr 2013 10:16:05 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 15 Apr 2013 10:16:05 -0400
Message-ID: <516C0B9D.6000402@mitre.org>
Date: Mon, 15 Apr 2013 10:15:57 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Tim Bray <twbray@google.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com>
In-Reply-To: <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050302010001070500000600"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:16:13 -0000

Scopes aren't meant to be interoperable between services since they're 
necessarily API-specific. The only interoperable bit is that there's 
*some* place to put the values and that it's expressed as a bag of 
space-separated strings. How those strings get interpreted and enforced 
(which is really what's at stake here) is up to the AS and PR (or a 
higher-level protocol like UMA).

  -- Justin

On 04/15/2013 10:13 AM, Tim Bray wrote:
>
> This, as written, has zero interoperability.  I think this feature can 
> really only be made useful in the case where scopes are fixed strings.
>
> -T
>
> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>     You are correct that the idea behind the "scope" parameter at
>     registration is a constraint on authorization-time scopes that are
>     made available. It's both a means for the client to request a set
>     of valid scopes and for the server to provision (and echo back to
>     the client) a set of valid scopes.
>
>     I *really* don't want to try to define a matching language for
>     scope expressions. For that to work, all servers would need to be
>     able to process the regular expressions for all clients, even if
>     the servers themselves only support simple-string scope values.
>     Any regular expression syntax we pick here is guaranteed to be
>     incompatible with something, and I think the complexity doesn't
>     buy much. Also, I think you suddenly have a potential security
>     issue if you have a bad regex in place on either end.
>
>     As it stands today, the server can interpret the incoming
>     registration scopes and enforce them however it wants to. The real
>     trick comes not from assigning the values to a particular client
>     but to enforcing them, and I think that's always going to be
>     service-specific. We're just not as clear on that as we could be.
>
>     After looking over everyone's comments so far, I'd like to propose
>     the following text for that section:
>
>
>         scope
>            OPTIONAL.  Space separated list of scope values (as described in
>            OAuth 2.0Section 3.3 [RFC6749]  <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when
>            requesting access tokens.  As scope values are service-specific,
>            the Authorization Server MAY define its own matching rules when
>            determining if a scope value used during an authorization request
>            is valid according to the scope values assigned during
>            registration. Possible matching rules include wildcard patterns,
>            regular expressions, or exactly matching the string. If omitted,
>            an Authorization Server MAY register a Client with a default
>            set of scopes.
>
>
>     Comments? Improvements?
>
>      -- Justin
>
>
>     On 04/14/2013 08:23 PM, Manger, James H wrote:
>>     Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.
>>
>>     So ideally registration should accept rules for matching scopes, as opposed to actual scope values.
>>
>>     You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").
>>
>>     Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.
>>
>>     --
>>     James Manger
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email