Re: [OAUTH-WG] Issue: Scope parameter
Evan Gilbert <uidude@google.com> Mon, 19 April 2010 16:11 UTC
Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C2813A6851 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 09:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.685
X-Spam-Level:
X-Spam-Status: No, score=-105.685 tagged_above=-999 required=5 tests=[AWL=0.291, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asGQp9oYLXaX for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 09:11:06 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 6BADF28C265 for <oauth@ietf.org>; Mon, 19 Apr 2010 08:51:47 -0700 (PDT)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [10.3.21.7]) by smtp-out.google.com with ESMTP id o3JFpYjt012583 for <oauth@ietf.org>; Mon, 19 Apr 2010 08:51:34 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271692295; bh=TWUAHrtXln48RmfHMXCdBLIPp0E=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=fe7JNPpfKohzZmsFItmF4pS57PJqUmxaVZXAZvgHVXAwmBOpUhT4DQyojzd7RZ6/L O0MBD9wKj5XQsBlGjrSNQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=Azaix7r1s8wvU0zZQPnD6uG6+1EIgtQ2zThKQtEz0NWydjKsP+G/thISme7n9lmgR PiexZe2oyriMkvQ82djQg==
Received: from yxe11 (yxe11.prod.google.com [10.190.2.11]) by hpaq7.eem.corp.google.com with ESMTP id o3JFpWoa022122 for <oauth@ietf.org>; Mon, 19 Apr 2010 17:51:32 +0200
Received: by yxe11 with SMTP id 11so2755077yxe.10 for <oauth@ietf.org>; Mon, 19 Apr 2010 08:51:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.16.148 with HTTP; Mon, 19 Apr 2010 08:51:09 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F020@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7ECB1F7.32357%eran@hueniverse.com> <h2l987bab591004181812ve43197f9la55f59b753bd2959@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A3794@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B9DB81DC-2B8F-4FFF-9FF1-78DB334DF101@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A37A0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A08279DC79B11C48AD587060CD93977125F0AAB4@TK5EX14MBXC103.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F020@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Evan Gilbert <uidude@google.com>
Date: Mon, 19 Apr 2010 08:51:09 -0700
Received: by 10.229.224.133 with SMTP id io5mr3860224qcb.37.1271692291977; Mon, 19 Apr 2010 08:51:31 -0700 (PDT)
Message-ID: <j2lc8689b661004190851l80009045oc4024ac7a66c4250@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="0016363b851053c066048498ef71"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Scope parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 16:11:09 -0000
On Mon, Apr 19, 2010 at 8:14 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > Where does it say you cannot add a parameter named scope? To suggest that > you can’t use the specification because it doesn’t define a placeholder for > something called ‘scope’ is ridiculous. > > > > Simpler client interface is a valid argument, but so is striving for actual > interop. Almost every single company is going to add a custom parameter to > their implementation. Are you suggesting that if we define ‘scope’ we will > significantly reduce the need to define **any** vendor-specific > parameters? Because if not, libraries will still need to pass custom > parameters as key-value pairs in their interface. > > > > So far no one has made an argument why this parameter **has** to be > defined as a server-specific value! What breaks if we define it as a > comma-separated list of URIs or realms (the server will need to use realm > values it can distinguish from resource URIs in case it uses URIs for realm > values, which is trivial to do)? Please explain to me how this proposal > doesn’t work for you. > > > > When the group discussed signatures you demanded we start with use cases. > So let’s do that now. How do people plan to use this parameter? What are you > going to include as scope? What’s the internal encoding/structure you are > going to use? > > > > The burden is on **you** to explain why a parameter in an interop > specification MUST be left vendor specific, or why we can’t figure it out * > *now**. > We all want to move towards a common syntax for scopes, but I don't think we will be able to generalize this on day one. Even if we agreed on a common syntax we all are aiming for, we would need to support existing vendor scopes until we get there. Google today uses a list of URLs for scope definition, and we want OAuth to support this even if we decide to move towards something better. Standardizing only on a parameter name may seem to be low-value, but it both provides some consistency and also a clear placeholder for where to put a parameter to ask for access to a specific resource / set of scopes. Think that people feel strongly about keeping this in because the spec feels incomplete if it doesn't have some way to ask for specific resources - I'd much rather have custom parameter values than custom parameter names. > > > EHL > > > > > > > > *From:* Anthony Nadalin [mailto:tonynad@microsoft.com] > *Sent:* Monday, April 19, 2010 5:53 AM > *To:* Eran Hammer-Lahav; Dick Hardt > *Cc:* OAuth WG > *Subject:* RE: [OAUTH-WG] Issue: Scope parameter > > > > > I’m strongly opposed to writing a spec that must be profiled in order to > be implemented and the proposed definition of the scope parameter mandates > profiling the spec. > > > > I’m strongly opposed to having a specification that can’t be used because > it’s so restrictive > > > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Eran Hammer-Lahav > *Sent:* Sunday, April 18, 2010 11:03 PM > *To:* Dick Hardt > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] Issue: Scope parameter > > > > I’m strongly opposed to writing a spec that must be profiled in order to be > implemented and the proposed definition of the scope parameter mandates > profiling the spec. > > > > If it has a structure – what is it? If it is an opaque string, where does > the client get it from? You cannot have interop if the protocol requires > reading paperwork. There is a difference between reusing code (which is what > your argument is about) than interop. > > > > The fact it is easier to pass a named parameter than a list of key-value > pairs is just not a good enough reason. I can live with a parameter with an > opaque value, but it needs to be better defined than ‘scope’. > > > > I have seen services with both scope and permission parameters. What’s the > guidance to these services? Drop permissions and encode it into the scope? > Define it as server-specific? Toss a coin? How about also putting the > desired username into scope instead of another parameter? > > > > How about we add ‘custom1’, ‘custom2’, and ‘custom3’ parameters to make it > easier for servers to use generic libraries with their own extensions? I’m > sure we can find a few more generally useful words to throw in there. > > > > --- > > > > Interop is accomplished when a standard authentication protocol is used > together with a standard API protocol. For example, Portable Contacts uses > OAuth with a standard API and schema to achieve transparent interop. Clients > don’t need to know anything specific about the server to request an address > book record if they know where the Poco endpoint is, and can speak OAuth to > get permission to private data. > > > > If we define a scope parameter, Poco will stop working unless Poco defines > how to use the scope parameter when asking for a token capable of accessing > Poco resources. But it cannot do it without breaking existing services with > their completely incompatible definition and format for scope. > > > > On the other hand, if we defined a basic way to use scope, Poco will be > able to use that in a consistent way across services and work in the same > automagical way. > > > > I am not arguing against having a scope parameter. I think we should and > have enough implementation experience to do it now (we didn’t 3 years ago). > I am arguing that the current proposal is ignoring the responsibility we > have to improve interop. If people want scope they need to do a better job > defining what it is. > > > > From anything I heard so far on this list, a comma-separated list of URIs > or realms would work. > > > > --- > > > > My service requires: > > > > Resources – list of resource URIs or realms > > Permission – read / change / add / delete > > Duration – access token lifetime > > > > Reading the definition of the scope parameter I don’t know how to map my > requirements to it. Am I expected to invent an encoding scheme to get all > this information into the scope parameter? It seem that **every** server > developer will need to invent such a scheme. > > > > Using your exact argument, I can also request that we add a ‘permission’ > and ‘duration’ parameters, equally undefined, because it is easier for my > developers to have the library pass these. > > > > EHL > > > > > > > > *From:* Dick Hardt [mailto:dick.hardt@gmail.com] > *Sent:* Sunday, April 18, 2010 10:28 PM > *To:* Eran Hammer-Lahav > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] Issue: Scope parameter > > > > > > > > On 2010-04-18, at 9:56 PM, Eran Hammer-Lahav wrote: > > > > The client_id parameter is not expected to have an internal structure known > to clients. > > > > The client developer needs to understand it. > > > > The likelihood of a client library treating this value as anything other > than an opaque string is practically zero. client_id is well defined, > especially when it comes to how clients are expected to interact with it. I > have not seen a single implementation or requirement to put client-aware > meaning into the client_id parameter value. It is an opaque, server-issued > string. > > > > > > What about the format parameter that specifies that assertion? > > > > > > > > The proposed scope parameter is expected to always have an internal > structure and clients are expected to read some documentation explaining how > to use it. The likelihood of a client library to implement one such > structure based on the first service it is used for is not insignificant. > And once one popular service use it in one way, others are likely to do the > same to make their developers life easier. So why leave this up to the first > popular service to decide. > > > > This does not make sense. Services are already defining scope parameters, > libraries are adding them in. > > The client library should treat the scope parameter as a string just like > all the other strings that are passed around. Given that a number of popular > services have a scope like parameter now, I don't know of a situation where > a library developer has done what you fear. > > > > > > Libraries are expected to pass up and down **any** parameter, regardless > of its status as a core protocol parameter or not. A library that doesn’t is > broken. If they do that, defining a scope parameter adds absolutely nothing. > For example, we can add a language parameter which will be used by the > client to request a specific UI language experience but leave the value to > be server specific. Clearly this is useless without defining how the > parameter shall be used. From an interop and spec perspective, how is scope > different? > > > > It is much simpler for the library to have an interface where you specify > specific values than hand in an arbitrary set of name value pairs. > > > > > > The current proposal is to pick an ambiguous term and add it as a parameter > with no clear meaning, purpose, or structure. I don’t know what scope means. > > Does it include permissions? The desired access lifetime? The ability to > share the tokens with other providers? Different HTTP methods? All the > examples I have seen treat it as a list of resources either directly (list > of URIs) or indirectly (list of sets or service types). > > > > It could be any of those things. The scope of access that the client is > asking for. > > > > > > How about we also add a ‘redelegation’, ‘duration’, ‘permission’, > ‘methods’, and a few more and leave them all server specific? According to > the proposal logic, why not? > > > > Those would all be included under scope. > > > > Many implementors are saying they want the scope parameter. Are there > implementors / deployers that don't want it? You seem to have a strong > opinion on this point that is based on a potential interop fear you have > that is contrary to many implementors. > > > > -- Dick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Marius Scurtescu
- Re: [OAUTH-WG] Issue: Scope parameter David Recordon
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Marius Scurtescu
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter David Recordon
- Re: [OAUTH-WG] Issue: Scope parameter Justin Smith
- Re: [OAUTH-WG] Issue: Scope parameter Manger, James H
- Re: [OAUTH-WG] Issue: Scope parameter Justin Smith
- Re: [OAUTH-WG] Issue: Scope parameter Manger, James H
- Re: [OAUTH-WG] Issue: Scope parameter Justin Smith
- Re: [OAUTH-WG] Issue: Scope parameter Marius Scurtescu
- Re: [OAUTH-WG] Issue: Scope parameter Manger, James H
- Re: [OAUTH-WG] Issue: Scope parameter Mark Mcgloin
- Re: [OAUTH-WG] Issue: Scope parameter Manger, James H
- Re: [OAUTH-WG] Issue: Scope parameter Justin Smith
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Scope parameter Dick Hardt
- Re: [OAUTH-WG] Issue: Scope parameter Manger, James H
- Re: [OAUTH-WG] Issue: Scope parameter Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Scope parameter David Recordon
- Re: [OAUTH-WG] Issue: Scope parameter Dick Hardt
- Re: [OAUTH-WG] Issue: Scope parameter David Recordon
- Re: [OAUTH-WG] Issue: Scope parameter Marius Scurtescu
- Re: [OAUTH-WG] Issue: Scope parameter Luke Shepard
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Dick Hardt
- Re: [OAUTH-WG] Issue: Scope parameter Dick Hardt
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Anthony Nadalin
- Re: [OAUTH-WG] Issue: Scope parameter Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Scope parameter Evan Gilbert
- Re: [OAUTH-WG] Issue: Scope parameter Justin Richer
- Re: [OAUTH-WG] Issue: Scope parameter Eran Hammer-Lahav