Re: [OAUTH-WG] modifying the scope of an access token
Dick Hardt <dick.hardt@gmail.com> Sun, 16 May 2010 17:35 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7009C3A6AD2 for <oauth@core3.amsl.com>; Sun, 16 May 2010 10:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zV72IH5JZWpe for <oauth@core3.amsl.com>; Sun, 16 May 2010 10:35:47 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id B2EA63A6ABA for <oauth@ietf.org>; Sun, 16 May 2010 10:35:45 -0700 (PDT)
Received: by pwi1 with SMTP id 1so2426892pwi.31 for <oauth@ietf.org>; Sun, 16 May 2010 10:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=1xKCw/OEW1gT9vzvujpFj/1uyTGo5p5BRtXdOKsBSLo=; b=h2O2FSOXQ/X7T5p0EP+qmC9qVWznnypGwonKH2FCSuT3Qd5NpsbzcCTqXzXu8/oJMv pDPToy7vhEq+kppzpxo2ROUgqfQZCdmp8eqL9M7osX+4U2YhsW+msZmH5eKu1bVFMCjb vrBeVAda6/rTtwBKz+pcyB6D639i9S4QZyEbk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=DDoZX4irAFskyIbOHnRxckxRP/zSLJ4ddHdbjE+ZnyesUdaBvkO+qgMWSYc2L6YJgX KuzBr/Cu8FXsFZLb6ltAHI8Mgec4NtaADjqxvCl5tcC18Rn79ucXDLaqSBvMH5m6RccN tmfMMi4vtNihM8GPqb+x7T31dlFzzbF9aiA0s=
MIME-Version: 1.0
Received: by 10.142.248.38 with SMTP id v38mr2484712wfh.246.1274031334697; Sun, 16 May 2010 10:35:34 -0700 (PDT)
Received: by 10.142.87.17 with HTTP; Sun, 16 May 2010 10:35:34 -0700 (PDT)
In-Reply-To: <AANLkTiktDsVRfYoY2ArgM0VSLkNhMv5oadcX1pHq6j_Q@mail.gmail.com>
References: <6EAD60BF-4C6B-4F0A-8C1A-13DD3DD2B21E@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E3A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTikbUvqQLCvOAsY9d2CDdg9222xX9zwIEWmNA4RW@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB4712E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinSQpI4JX6_TVL4ZAI0oYSehKB9vEfQyZafggtM@mail.gmail.com> <AANLkTiktDsVRfYoY2ArgM0VSLkNhMv5oadcX1pHq6j_Q@mail.gmail.com>
Date: Sun, 16 May 2010 10:35:34 -0700
Message-ID: <AANLkTimqEfj29xTX0A8f7XulTjpPwoQgRI8yX1Gzgpns@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
To: David Recordon <recordond@gmail.com>
Content-Type: multipart/alternative; boundary="00504502ce54232c390486b989d1"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] modifying the scope of an access token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 May 2010 17:35:48 -0000
My design preference would be to have a new request type. A AS could then support or not support the feature, and it keeps refresh as refresh rather than overloading it. On Mon, May 10, 2010 at 10:43 PM, David Recordon <recordond@gmail.com>wrote: > I'm wondering if this could be achieved by adding an optional scope > parameter to the existing refresh request versus creating a new > request type. Both because Dick's proposed text requires a refresh > token and it seems like services worried about this sort of risk would > not want to issue long lived access tokens. > > --David > > > On Mon, May 10, 2010 at 10:39 PM, John Panzer <jpanzer@google.com> wrote: > > Yes; a service that does a one time configuration step, requiring > > extensive access, followed by an ongoing lower level of access (say, > > read-only). Lowering access means it only needs to store low-risk > > tokens in its data store, limiting exposure (and liability). > > > > On Monday, May 10, 2010, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > >> Are there actual use cases for this? Either way sounds like it belongs > in an extension. > >> > >> EHL > >> > >>> -----Original Message----- > >>> From: Marius Scurtescu [mailto:mscurtescu@google.com] > >>> Sent: Monday, May 10, 2010 12:49 PM > >>> To: Eran Hammer-Lahav > >>> Cc: Dick Hardt; OAuth WG (oauth@ietf.org) > >>> Subject: Re: [OAUTH-WG] modifying the scope of an access token > >>> > >>> On Sun, May 9, 2010 at 10:17 PM, Eran Hammer-Lahav > >>> <eran@hueniverse.com> wrote: > >>> > This would only work for the client credentials flow (because you > keep the > >>> same authorization source). For all other flows you are breaking the > >>> authorization boundaries. > >>> > >>> If the requested scope is a subset of the original scope associated > with the > >>> refresh token then it should be acceptable, right? > >>> > >>> This would allow a client to request a larger set of scopes, needed for > all API > >>> calls need for its function, but then get sub-scoped access tokens, > particular > >>> to each API. This will prevent an API from receiving a too powerful > access > >>> token. A compromised API could use access tokens to place calls against > >>> other APIs, but not if it is narrowly scoped. > >>> > >>> Marius > >>> > >>> > > >>> > What would be useful is to allow asking for more scope. For example, > when > >>> asking for a token (the last step of each flow), also include a valid > token to > >>> get a new token with the combined scope (new approval and previous). > >>> > > >>> > EHL > >>> > > >>> >> -----Original Message----- > >>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > >>> >> Behalf Of Dick Hardt > >>> >> Sent: Sunday, May 09, 2010 7:19 PM > >>> >> To: OAuth WG (oauth@ietf.org) > >>> >> Subject: [OAUTH-WG] modifying the scope of an access token > >>> >> > >>> >> There has been some discussion about modifying the scope of the > >>> >> access token during a refresh. Perhaps we can add another "method" > to > >>> >> what the AS MAY support that allows modifying the scope of an access > >>> >> token. Type of request is "modify" and the scope parameter is > >>> >> required to indicate the new scope required. Suggested copy below: > >>> >> > >>> >> type > >>> >> REQUIRED. The parameter value MUST be set to modify > >>> >> > >>> >> client_id > >>> >> REQUIRED. The client identifier as described in Section 3.4. > >>> >> > >>> >> client_secret > >>> >> REQUIRED if the client was issued a secret. The client secret. > >>> >> > >>> >> refresh_token > >>> >> REQUIRED. The refresh token associated with the access token > to > >>> >> be refreshed. > >>> >> > >>> >> scope > >>> >> REQUIRED. The new scope of the access request expressed as a > >>> >> list of space-delimited strings. The value of the scope parameter is > >>> >> defined by the authorization server. If the value contains multiple > >>> >> space-delimited strings, their order does not matter, and each > string > >>> >> adds additional access range to the requested scope. > >>> >> > >>> >> secret_type > >>> >> OPTIONAL. The access token secret type as described by Section > 8.3. > >>> >> If omitted, the authorization server will issue a bearer token (an > >>> >> access token without a matching secret) as described by Section 8.2. > >>> >> > >>> >> _______________________________________________ > >>> >> OAuth mailing list > >>> >> OAuth@ietf.org > >>> >> https://www.ietf.org/mailman/listinfo/oauth > >>> > _______________________________________________ > >>> > OAuth mailing list > >>> > OAuth@ietf.org > >>> > https://www.ietf.org/mailman/listinfo/oauth > >>> > > >> _______________ > > > > -- > > -- > > John Panzer / Google > > jpanzer@google.com / abstractioneer.org / @jpanzer > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] modifying the scope of an access token Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Marius Scurtescu
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… John Panzer
- Re: [OAUTH-WG] modifying the scope of an access t… David Recordon
- Re: [OAUTH-WG] modifying the scope of an access t… John Panzer
- Re: [OAUTH-WG] modifying the scope of an access t… David Recordon
- Re: [OAUTH-WG] modifying the scope of an access t… Eran Hammer-Lahav
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Dick Hardt
- Re: [OAUTH-WG] modifying the scope of an access t… Luke Shepard
- Re: [OAUTH-WG] modifying the scope of an access t… Joseph Holsten
- Re: [OAUTH-WG] modifying the scope of an access t… George Fletcher