Re: [OAUTH-WG] Registration: Scope Values
Justin Richer <jricher@mitre.org> Mon, 15 April 2013 14:16 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C2F321F9440 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlNWQoCKLJpN for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:16:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4313521F93F3 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:16:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D65E61F06D0; Mon, 15 Apr 2013 10:16:05 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C83811F026C; Mon, 15 Apr 2013 10:16:05 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 15 Apr 2013 10:16:05 -0400
Message-ID: <516C0B9D.6000402@mitre.org>
Date: Mon, 15 Apr 2013 10:15:57 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Tim Bray <twbray@google.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com>
In-Reply-To: <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050302010001070500000600"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:16:13 -0000
Scopes aren't meant to be interoperable between services since they're necessarily API-specific. The only interoperable bit is that there's *some* place to put the values and that it's expressed as a bag of space-separated strings. How those strings get interpreted and enforced (which is really what's at stake here) is up to the AS and PR (or a higher-level protocol like UMA). -- Justin On 04/15/2013 10:13 AM, Tim Bray wrote: > > This, as written, has zero interoperability. I think this feature can > really only be made useful in the case where scopes are fixed strings. > > -T > > On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org > <mailto:jricher@mitre.org>> wrote: > > You are correct that the idea behind the "scope" parameter at > registration is a constraint on authorization-time scopes that are > made available. It's both a means for the client to request a set > of valid scopes and for the server to provision (and echo back to > the client) a set of valid scopes. > > I *really* don't want to try to define a matching language for > scope expressions. For that to work, all servers would need to be > able to process the regular expressions for all clients, even if > the servers themselves only support simple-string scope values. > Any regular expression syntax we pick here is guaranteed to be > incompatible with something, and I think the complexity doesn't > buy much. Also, I think you suddenly have a potential security > issue if you have a bad regex in place on either end. > > As it stands today, the server can interpret the incoming > registration scopes and enforce them however it wants to. The real > trick comes not from assigning the values to a particular client > but to enforcing them, and I think that's always going to be > service-specific. We're just not as clear on that as we could be. > > After looking over everyone's comments so far, I'd like to propose > the following text for that section: > > > scope > OPTIONAL. Space separated list of scope values (as described in > OAuth 2.0Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when > requesting access tokens. As scope values are service-specific, > the Authorization Server MAY define its own matching rules when > determining if a scope value used during an authorization request > is valid according to the scope values assigned during > registration. Possible matching rules include wildcard patterns, > regular expressions, or exactly matching the string. If omitted, > an Authorization Server MAY register a Client with a default > set of scopes. > > > Comments? Improvements? > > -- Justin > > > On 04/14/2013 08:23 PM, Manger, James H wrote: >> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow. >> >> So ideally registration should accept rules for matching scopes, as opposed to actual scope values. >> >> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*"). >> >> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match. >> >> -- >> James Manger >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Manger, James H
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values prateek mishra
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values John Bradley
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer