Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
Nat Sakimura <sakimura@gmail.com> Sun, 28 November 2010 14:11 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74CCC3A6BD4 for <oauth@core3.amsl.com>; Sun, 28 Nov 2010 06:11:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcAk9TvUYHhI for <oauth@core3.amsl.com>; Sun, 28 Nov 2010 06:11:19 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id CE6403A6BCB for <oauth@ietf.org>; Sun, 28 Nov 2010 06:11:17 -0800 (PST)
Received: by fxm9 with SMTP id 9so2783070fxm.31 for <oauth@ietf.org>; Sun, 28 Nov 2010 06:12:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=DckkjeP+KsOz/j18SHtFJ8X3fAWP83GnTzFhX/zV3QI=; b=t1h25yAfkDJL39Q+VlPcoJgaxM1v2vljh6CX8IBxPj0iBpU4ZN/lv0fZD96uKGtcXn gNfPWoyxzep4+BLAlyI6bl6FxGhv0+ujF2k3Rjyp22Qaax3xajtOiPJOahDgBcgh3JFn Y+Ej68TLiyJhR889kQVit6pgXLYVLHKxTA9sk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=b9DdbLuJm+OrApZOQG9qhOZqeYAWQWWkU/9m7Wu5dQVwbhVmcX2jB2eJdroURMHAMD JQDEbKuHTWFd50Y1/SPTpiqAU7tMqVvzJlOKsvmwOCn2nTwMqXuCcTmi8vyYv7MBw3gw 7m86JpE10EqDErzIRT6NMyC0dOehSsGgESH4M=
MIME-Version: 1.0
Received: by 10.223.103.12 with SMTP id i12mr2480976fao.43.1290953543213; Sun, 28 Nov 2010 06:12:23 -0800 (PST)
Received: by 10.223.120.145 with HTTP; Sun, 28 Nov 2010 06:12:23 -0800 (PST)
In-Reply-To: <4CF01805.7030607@alcatel-lucent.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4CF01805.7030607@alcatel-lucent.com>
Date: Sun, 28 Nov 2010 23:12:23 +0900
Message-ID: <AANLkTimbgd6g5RS-dKdEJ31CvFJoZrrnLeJyV8r-=-+h@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: igor.faynberg@alcatel-lucent.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2010 14:11:22 -0000
I think such things are better dealt with extensions. I do not like to overload "scope". =nat On Sat, Nov 27, 2010 at 5:26 AM, Igor Faynberg <igor.faynberg@alcatel-lucent.com> wrote: > In the context of Martin's question (which concerns end-users understanding > and resulting actions), I interpret the citation as follows: The end-user > has no control over the value of the "scope" parameter, and, given that "it > is defined by the authorization server," the end-user is not expected even > to understand this value. Granted, an implementation can of course fix this > specific issue, but the standard does not address it. > > Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by > careful specification of the "scope" values in the future, but I know that > 2.0 needs to be out and that it has high-priority items (such as security) > to be dealt with right now. I don't want to delay 2.0 by suggesting drastic > changes in the design decisions, so I am not harping on the seeming > irrelevance of the end-user. > > With the view of OAuth evolution though, I would like to see the whole token > standardized, with the end-user having the overall control of the > token--even if in the default situation it is still prepared by the > authorization server-- with the ability to assign or change (or both) any > value contained in it. > > Igor > > > Eran Hammer-Lahav wrote: >> >> -10 4.2: >> >> scope >> OPTIONAL. The scope of the access token as a list of space- >> delimited strings. The value of the "scope" parameter is >> defined by the authorization server. If the value contains >> multiple space-delimited strings, their order does not matter, >> and each string adds an additional access range to the >> requested scope. The authorization server SHOULD include the >> parameter if the requested scope is different from the one >> requested by the client. >> >> EHL >> >> >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Martin Ley >>> Sent: Friday, November 26, 2010 12:41 AM >>> To: oauth@ietf.org >>> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not >>> all >>> >>> Dear list, >>> >>> perhaps I've overread it in the specification or it was not explicit >>> about my >>> required scenario: >>> >>> >>> The Web-Server-Flow is used. An application requests data about the user. >>> The scopes are dateofbirth,isover18,address. Now the user is forwarded to >>> the authorization server to identify and authenticate and give >>> permissions to >>> the applications. The user decides to give only permission for the >>> isover18 >>> scope but not dateofbirth and address. >>> >>> How would the application be notified about the granted scopes and the >>> not >>> granted scopes? >>> >>> Best regards >>> >>> Martin >>> >>> >>> -- >>> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH >>> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID >>> (VAT): >>> DE122264941 >>> >>> Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 >>> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30 >>> Internet: http://www.tarent.de/ Telefax: +49 228 52675-25 >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
- [OAUTH-WG] Requesting mutliple scope, but user au… Martin Ley
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Eran Hammer-Lahav
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Nat Sakimura
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… David Primmer
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Justin Richer