Re: [OAUTH-WG] modifying the scope of an access token
Marius Scurtescu <mscurtescu@google.com> Mon, 10 May 2010 20:00 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C42A3A6A55 for <oauth@core3.amsl.com>; Mon, 10 May 2010 13:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.798
X-Spam-Level:
X-Spam-Status: No, score=-100.798 tagged_above=-999 required=5 tests=[AWL=-0.310, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FjFtNceQFQl for <oauth@core3.amsl.com>; Mon, 10 May 2010 13:00:41 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id A24513A69F2 for <oauth@ietf.org>; Mon, 10 May 2010 12:49:05 -0700 (PDT)
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com [172.25.149.6]) by smtp-out.google.com with ESMTP id o4AJmrNn005621 for <oauth@ietf.org>; Mon, 10 May 2010 12:48:53 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273520933; bh=QckhUc/zI/OR+/uXguPZgzj1Mno=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=QXgQ+w6v4T+a4U/G+gkz+wsAklf6Us36/3bkZeediO/nSxf0kbcROJbrdIcq0kdM3 ZGx6XPLjJced8SFLzfS8Q==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=BTOK9p83otJSb4/uSiEmQTyx/ds78IBPxE8qiduZPxNSIll15gqKrgfmhDf0CS4eW hhBTAzIybQ52XE3GpbbYQ==
Received: from pvg4 (pvg4.prod.google.com [10.241.210.132]) by hpaq6.eem.corp.google.com with ESMTP id o4AJmokt030357 for <oauth@ietf.org>; Mon, 10 May 2010 12:48:51 -0700
Received: by pvg4 with SMTP id 4so456172pvg.38 for <oauth@ietf.org>; Mon, 10 May 2010 12:48:50 -0700 (PDT)
Received: by 10.140.82.6 with SMTP id f6mr3008511rvb.74.1273520930446; Mon, 10 May 2010 12:48:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.125.21 with HTTP; Mon, 10 May 2010 12:48:30 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E3A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <6EAD60BF-4C6B-4F0A-8C1A-13DD3DD2B21E@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E3A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 10 May 2010 12:48:30 -0700
Message-ID: <AANLkTikbUvqQLCvOAsY9d2CDdg9222xX9zwIEWmNA4RW@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] modifying the scope of an access token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 20:00:42 -0000
On Sun, May 9, 2010 at 10:17 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > This would only work for the client credentials flow (because you keep the same authorization source). For all other flows you are breaking the authorization boundaries. If the requested scope is a subset of the original scope associated with the refresh token then it should be acceptable, right? This would allow a client to request a larger set of scopes, needed for all API calls need for its function, but then get sub-scoped access tokens, particular to each API. This will prevent an API from receiving a too powerful access token. A compromised API could use access tokens to place calls against other APIs, but not if it is narrowly scoped. Marius > > What would be useful is to allow asking for more scope. For example, when asking for a token (the last step of each flow), also include a valid token to get a new token with the combined scope (new approval and previous). > > EHL > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Dick Hardt >> Sent: Sunday, May 09, 2010 7:19 PM >> To: OAuth WG (oauth@ietf.org) >> Subject: [OAUTH-WG] modifying the scope of an access token >> >> There has been some discussion about modifying the scope of the access >> token during a refresh. Perhaps we can add another "method" to what the >> AS MAY support that allows modifying the scope of an access token. Type of >> request is "modify" and the scope parameter is required to indicate the new >> scope required. Suggested copy below: >> >> type >> REQUIRED. The parameter value MUST be set to modify >> >> client_id >> REQUIRED. The client identifier as described in Section 3.4. >> >> client_secret >> REQUIRED if the client was issued a secret. The client secret. >> >> refresh_token >> REQUIRED. The refresh token associated with the access token to be >> refreshed. >> >> scope >> REQUIRED. The new scope of the access request expressed as a list >> of space-delimited strings. The value of the scope parameter is defined by >> the authorization server. If the value contains multiple space-delimited >> strings, their order does not matter, and each string adds additional access >> range to the requested scope. >> >> secret_type >> OPTIONAL. The access token secret type as described by Section 8.3. >> If omitted, the authorization server will issue a bearer token (an access token >> without a matching secret) as described by Section 8.2. >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] modifying the scope of an access token Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Marius Scurtescu
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… John Panzer
- Re: [OAUTH-WG] modifying the scope of an access t… David Recordon
- Re: [OAUTH-WG] modifying the scope of an access t… John Panzer
- Re: [OAUTH-WG] modifying the scope of an access t… David Recordon
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Luke Shepard
- Re: [OAUTH-WG] modifying the scope of an access t… Joseph Holsten
- Re: [OAUTH-WG] modifying the scope of an access t… George Fletcher