[OAUTH-WG] Scope - Coming to a Consensus

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 30 April 2010 15:44 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 515043A6896 for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 08:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.244
X-Spam-Status: No, score=-1.244 tagged_above=-999 required=5 tests=[AWL=-1.245, BAYES_50=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZoOOzbvqaN5n for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 08:44:19 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net []) by core3.amsl.com (Postfix) with SMTP id 57DE33A688C for <oauth@ietf.org>; Fri, 30 Apr 2010 08:44:19 -0700 (PDT)
Received: (qmail 30095 invoked from network); 30 Apr 2010 15:44:05 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) ( by p3plex1out02.prod.phx3.secureserver.net with SMTP; 30 Apr 2010 15:44:05 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Fri, 30 Apr 2010 08:43:55 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Fri, 30 Apr 2010 08:43:55 -0700
Thread-Topic: Scope - Coming to a Consensus
Thread-Index: Acroe/D4ieCnKO2GTMiNS2rQ7lPsVg==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723439321772EF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OAUTH-WG] Scope - Coming to a Consensus
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 15:44:20 -0000

It's time to decide how we want to treat access token scope in the specification. Note that this discussion is limited to *requesting* an access token with a specific scope and does not include how to decide when a token should be reused against an unfamiliar server (i.e. resource server advertising which scope it requires).

Below is the list of options with enough group interest. I didn't my best to represent each option without bias but please feel free to add more details with your votes. If you feel strongly about other alternatives, please list them in your reply.

Please reply by 5/5.



1. Parameter Name Only 

Define a token request parameter 'scope' leaving the value structure undefined. This will allow libraries to define a built-in parameter to pass scope up and down the stack. Each provider will need to document their use of the parameter, including delimiter and encoding.


- This does not require specifying a format that may conflict with existing or desired vendor-specific needs.
- There isn't enough deployment experience to go further than that.
- It makes using a library easier for client developers


- Adding an undefined parameter can hurt interoperability in the long run because as soon as it is deployed it will become impossible to standardize this value in the future.
- Libraries are likely to implement the most popular form of scope encoding which will conflict with other vendors.
- Specifying a generally useful format isn't that hard, but is very useful.
- Libraries will need to pass arbitrary parameters anyway to accommodate other vendor-specific extensions.

2. No Scope Parameter

The protocol will remain mute on the subject, allowing vendors to introduce their own scope parameter either as an extension or as an opaque part of the authorization and token endpoints (as proposed by James Manger).


- Simplicity - the protocol doesn't define (partially or fully) parameters that are not required in every implementation.
- Flexibility - since there is no consensus on the subject, this allows vendors to define their own parameters with more suitable names (e.g. 'resources', 'permission', 'duration', etc.).


- Every implementation is likely to add such a parameter anyway.
- The pattern described by James isn't obvious and developers are likely to reinvent a scope parameter instead.
- Goes against common expectation of scope support in the core protocol.

3. Space-Delimited Scope Parameter Value

Define a 'scope' parameter with value of space-delimited strings (which can include any character that is not a space - the entire parameter value is encoded per the transport rules regardless). Space allows using URIs or simple strings as values.


- A separator-delimited list of values is the common format for scope parameters in existing implementations and represents actual deployment experience.
- Most vendors define a set of opaque strings used for requesting scope. This enables libraries to concatenate these in a standard way.
- Enables simple extensions in the future for discovering which scope is required by each resource.


- Defining a format without a discovery method for the values needs doesn't offer much more than the other options.
- Doesn't go far enough to actually achieve interoperability.
- Adds complexity for little value.