IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 22 April 2010 19:25 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE2A528C307 for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:25:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Level:
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHlzJIomqnDY for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:25:45 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 552BF3A6CAB for <oauth@ietf.org>; Thu, 22 Apr 2010 12:08:15 -0700 (PDT)
Received: (qmail 29454 invoked from network); 22 Apr 2010 19:08:05 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 22 Apr 2010 19:08:05 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 22 Apr 2010 12:07:14 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Kemp <john@jkemp.net>
Date: Thu, 22 Apr 2010 12:07:05 -0700
Thread-Topic: [OAUTH-WG] 'Scope' parameter proposal
Thread-Index: AcriSyO6L4yGeuGOQm6rSIcCSXod0gAAHqtg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7FD26@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <g2mdaf5b9571004221036j5d6837f6z4d7959d69a3cbb2b@mail.gmail.com> <BB02FD4F-071E-4FF5-B3D0-F8D3FA22FEEE@jkemp.net>
In-Reply-To: <BB02FD4F-071E-4FF5-B3D0-F8D3FA22FEEE@jkemp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 19:25:46 -0000

This suggests we need to rethink our goal of interop and replace it with library re-use.

To me interop means that a client can interact with an unknown server by simply speaking the protocol (the way an email can be delivered to any server). Library re-use means that we define a set of configuration values (client identifier, endpoints, cryptographic algorithms, scope, realm policy, etc.) and once those are manually set (or via a discovery specification that is completely out of scope) to make the library work.

If we are not going to enable a client to access a protected resource hosted by an unfamiliar server, we need to stop pretending this (alone) is about interop. In other words, if we take this approach we are mandating paperwork to make the protocol work, at least based on this single specification. We can also drop advertising the authorization and token endpoints in a 401 or really *any* parameter in a WWW-Authenticate response.

I'm not opposed to that, and it is in line with the charter (which left discovery out).
 
Regardless, I disagree with your conclusion that the scope proposal doesn't accomplish interop. It allows a client to interact with an unknown server, obtain an access token for the required scope, and access it. It doesn't address the trust issue of when to reuse an existing token, but that's going to be a problem with or without a scope. If the client never attempts to reuse a token but always obtain a new access token when encountering an unknown server, it can interop perfectly well. And making scope a list of values allows secure reuse of tokens using same-origin policy (which is still useful even if limited).

OAuth 1.0 doesn't accomplish interop because it is under-specified. I have no problems keeping 2.0 at the same level. I just think it is premature to give up.

EHL

> -----Original Message-----
> From: John Kemp [mailto:john@jkemp.net]
> Sent: Thursday, April 22, 2010 11:39 AM
> To: Brian Eaton
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
> 
> Hi Brian,
> 
> On Apr 22, 2010, at 1:36 PM, Brian Eaton wrote:
> 
> > On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> >>> The scope doesn't have to match the base URI of the resource which
> >>> the client tried and got the 401 from?
> >>
> >> That's a security issue we need to address (when to trust the resource
> server and reuse an existing token). We need to figure it out either way.
> >
> 
> [...]
> 
> > I'd rather we didn't put stuff in the OAuth 2 spec that we aren't 100%
> > sure is going to work.  Ideally there should be lots of examples in
> > production.
> 
> I agree.
> 
> >
> > I do like the idea of defining the scope parameter to be a delimited
> > list of otherwise opaque strings.
> 
> So what we get in OAuth is simply an agreed parameter name in which to
> carry a list of opaque strings which might be used in any way imaginable (ie.
> not documented by the spec, no model in relation to the token) with usage
> model basically as decided by the various parties at deployment time.
> 
> I'm not really seeing the *interoperability* value of that at all without some
> more rigorous description of the underlying model (note: I'm not saying we
> should necessarily make that model, but merely that without any described
> model, you don't have very much interoperability)
> 
> >  Several service providers have
> > already adopted this approach, and it seems to work reasonably well.
> 
> I agree that 'scope' is something that many SPs want. If they don't want it
> roughly the same way though (something more than a "bucket of opaque
> strings with a standard name") I don't know if I understand the point to
> standardizing it.
> 
> Even those who write libraries won't get much value since they'll have to
> provide an extension point to do whatever is needed according to the
> particular deployment here anyway, and that extension point could already
> exist without the existence of an already-named parameter for "scope"
> functionality.
> 
> [...]
> 
> - johnk

v2.23.0 | Report a Bug | By Email