Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)

Eve Maler <eve@xmlgrrl.com> Mon, 19 December 2011 23:53 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7664E21F84BC for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 15:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.293
X-Spam-Level:
X-Spam-Status: No, score=-1.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLiXbAUPJEY8 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 15:53:11 -0800 (PST)
Received: from promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id C0EDE21F84C2 for <oauth@ietf.org>; Mon, 19 Dec 2011 15:53:11 -0800 (PST)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by promanage-inc.com (8.14.4/8.14.4) with ESMTP id pBJNr5q0027633 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 19 Dec 2011 15:53:06 -0800
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <4EEF7C4B.2070405@aol.com>
Date: Mon, 19 Dec 2011 15:53:01 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <8709095D-EBF1-4E9A-99C3-765E29DDB946@xmlgrrl.com>
References: <CAKaEYh+WRAnq9VXVn_FWUrHGNNSUS=aUompeXefVWGsQ-yiTLQ@mail.gmail.com> <4EEF7C4B.2070405@aol.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 23:53:12 -0000

If you check out the recording of the UMA webinar from last week, you'll see a demo (starting at about the 33:00 mark) that shows individual user data being accessed according to ACL-type authorization policy settings, with the resource owner able to set these policies and then not have to be online when the requester shows up:

http://kantarainitiative.org/confluence/display/uma/Home

(As an aside, the UMA spec also provides an extended example that illustrates how scopes can be made interoperable enough to protect photos individually. See http://tools.ietf.org/html/draft-hardjono-oauth-umacore-02, especially Sections 1.4 and 10.)

	Eve

On 19 Dec 2011, at 10:02 AM, George Fletcher wrote:

> I would also recommend looking at User-Managed-Access which provides this kind of layer on top of OAuth2.
> 
> http://kantarainitiative.org/confluence/display/uma/UMA+Explained
> 
> Thanks,
> George
> 
> On 12/18/11 12:05 PM, Melvin Carvalho wrote:
>> Quick question.  I was wondering if OAuth 2.0 can work with access
>> control lists.
>> 
>> For example there is a protected resource (e.g. a photo), and I want
>> to set it up so that a two or more users (for example a group of
>> friends) U1, U2 ... Un will be able to access it after authenticating.
>> 
>> Is this kind of flow possibly with OAuth 2.0, and if so whose
>> responsibility is it to maintain the list of agents than can access
>> the resource?
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl