Re: [OAUTH-WG] 'Scope' parameter proposal
Joseph Smarr <jsmarr@gmail.com> Tue, 20 April 2010 16:18 UTC
Return-Path: <jsmarr@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED2713A69DF for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 09:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, J_CHICKENPOX_55=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmm+JMHHt6p2 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 09:18:52 -0700 (PDT)
Received: from mail-pz0-f191.google.com (mail-pz0-f191.google.com [209.85.222.191]) by core3.amsl.com (Postfix) with ESMTP id D5B933A68BC for <oauth@ietf.org>; Tue, 20 Apr 2010 09:18:51 -0700 (PDT)
Received: by pzk29 with SMTP id 29so5285743pzk.29 for <oauth@ietf.org>; Tue, 20 Apr 2010 09:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:received:message-id:subject:to:cc:content-type; bh=fW5yX1z+Y1zIjKDuyzrVaJss6PAGo4be/nBgFSVk/pQ=; b=PpzYJbTZJ0B+xNZkYxoQWCTHcujE1UfJu1Tl1s0lXCT+zjzob65VGYIa6GtneEV5Vd qcs1tAEvM84Jc3jKd2/yGdfUrtuQLEGE2Iz+84ZAnWetqxBfLUdoWV/UB1yaows+lr8k KGypt4tTKzv5de48ql0TUhTZMF3g3SRF5Du4k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=g6Sa6gfub2k24guWgfCJkkCVqhkZ8b7GV/YkHl4SazyjyyvLyrwtywzSTepyI6FgmJ CRKn9utJcvGxFoXGxMdJgAtDsPk0TZfQbC3C1OmOzRNB9E/pfcsMyTrn9A0HArTTjFXr vyQtH0mNcZRqtDx1Ukx5QrLSTL+8oHf/VPjL0=
MIME-Version: 1.0
Received: by 10.143.164.14 with HTTP; Tue, 20 Apr 2010 09:18:20 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F48B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <620F3756-E159-4EF3-99DC-6D74CC869739@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F48B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Joseph Smarr <jsmarr@gmail.com>
Date: Tue, 20 Apr 2010 09:18:20 -0700
Received: by 10.142.247.7 with SMTP id u7mr2934412wfh.95.1271780320119; Tue, 20 Apr 2010 09:18:40 -0700 (PDT)
Message-ID: <h2xc334d54e1004200918s4bea7c3ez8ce69bb1a9c18151@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00504502cc30368b010484ad6e28"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: jsmarr@stanfordalumni.org
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 16:18:55 -0000
+1 to nailing down how to pass scopes, as Eran suggests (I think space-delimited URLs is best, but that's a detail). Having implemented OAuth with probably a dozen different providers (while at Plaxo), scopes were always one of those things that just didn't fit cleanly into my libraries and abstractions. Specifying a standard place for scope to go is one step, but the choice of scopes were all still hardcoded in a per-domain config file, which is a pain. Worse, it makes it very hard to handle standard protocols like Portable Contacts -- I want to be able to write a "contact importer from any Portable Contacts provider", where the user types in the domain of their provider, and the rest is automagic. Achieving this goal probably requires some amount of discovery, and some ability to use "unregistered/anonymous mode", but it also requires knowing which scopes to pass in. And the first two are pretty easy to solve (include a PoCo entry in your site's /.well-known/host-meta and allow anonymous/anonymous as consumer key/secret), so the scopes thing is really the gating factor here. Also +1 to Eran's meta-point that the job of a spec like this should be to reach as far as possible towards specified behavior for interop. Just like we defined a large number of contact fields in PoCo, the point was not "everyone has to support all of these", but rather "if multiple parties want to support any of these, now they have an agreed-upon way to do so". And with scope, I hope by now it's well established that scopes are going to be common and the status quo badly under-specifies how to query for them and use them. Thanks, js On Tue, Apr 20, 2010 at 8:42 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > > > > -----Original Message----- > > From: Dick Hardt [mailto:dick.hardt@gmail.com] > > Sent: Monday, April 19, 2010 8:07 PM > > To: Eran Hammer-Lahav > > Cc: OAuth WG > > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > > > > > On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote: > > > 2. Server requires authentication > > > > > > HTTP/1.1 401 Unauthorized > > > WWW-Authenticate: Token realm='Example', scope='x2' > > > > Can more than one scope be returned? Is it a comma delimited list? > > One scope parameter with one or more comma-delimited values (we can change > this to space delimited if people would like to use URIs for scope > identifiers). > > > Imagine we have a resource that can have READ or WRITE access granted. > > > > An unauthenticated GET on the resource could return the scope URI needed > > for READ, an unauthenticated PUT on the resource could return the scope > > URI for WRITE. What if you want to both do READs and WRITEs? There may > > be another scope that is READ/WRITE. READ and WRITE are pretty common > > capabilities, but one can imagine much more complex capabilities at > > resources. > > A failed GET will return scope=read and a failed PUT will return > scope=write. The server can issue an access token with: > > scope=read > scope=write > scope=read,write > > The last can be used for both. In other words, there should not be a > read_write scope, instead, the token should have two scopes. > > > The exact semantics to the resource are likely going to very contextual. > > Yes, and this can get very complicated if people want an extremely granular > way of doing permissions. For example, if you want to issue a token that can > read contacts and write email, you will need to define a bigger set: > email_read, email_write, contacts_read, contacts_write. On the other hand, > if a write access is for all authorized resources, you need: email, > contacts, read, write. > > > Given that, returning a single scope value if that is all that makes > sense to the > > resource will likely address many use cases. > > This is true when looking at a single resource. > > EHL > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal David Recordon
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Dick Hardt
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- [OAUTH-WG] Consistency in access token parameter Luke Shepard
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal John Panzer
- Re: [OAUTH-WG] 'Scope' parameter proposal Keenan, Bill
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard