Re: [OAUTH-WG] resource server id needed?

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 15 July 2010 06:19 UTC

Message-ID: <4C3EA88A.1050509@lodderstedt.net>
Date: Thu, 15 Jul 2010 08:19:54 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <4C3E389D.5080300@lodderstedt.net> <AANLkTilbBWMoMj5DIJ7IMYzlBGgZHni7xCYHyAzz_XK4@mail.gmail.com>
In-Reply-To: <AANLkTilbBWMoMj5DIJ7IMYzlBGgZHni7xCYHyAzz_XK4@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] resource server id needed?
Precedence: list

Marius Scurtescu schrieb:
> On Wed, Jul 14, 2010 at 3:22 PM, Torsten Lodderstedt
> <torsten@lodderstedt.net> wrote:
>   
>> I have a question concerning the OAuth philosophy: How many resource servers
>> may be managed by a single OAuth authorization server? (a) A single resource
>> server or (b) several of them exposing different resource types?
>>
>> If the answer is (b) then how is a particular resource server identified in
>> the protocol? Clients have Ids, end-users as well (at least in a future
>> protocol extension), but what about resource server Ids?
>>
>> I think resource servers must be identifiable in multi-server deployments
>> for several reasons:
>> - Interpretation of the scope parameter should be resource server specific -
>> "read" may have different meanings in mail and address book
>> - An authorization server probably wants to apply server-specific security
>> policy, e.g. different access token durations
>> - It will be possible to create special tokens per server
>>
>> I think we should introduce a resource server id in the authz and access
>> token request.
>>
>> Any thoughts?
>>     
>
> I think the scope fills this role. Scopes implemented as URIs, for
> example, allow the authz server to map them to resource servers.
>
> Marius
>   
That's an option indeed and would very much like to adopt it. But is the 
current draft specific enough to make that work?

Let's take the example of a valid scope Eran gave in on of his recent 
postings:

“friends:read:2d photos:write:1y”

Where would you include the resource server's URI? I assume in front of 
every value, like this:

“http://myserver.example.com/friends:read:2d 
http://myserver.example.com/photos:write:1y”

Let's now take this example one step further and extend the first 
resource description.

“http://myserver.example.com/friends/max.mustermann/:read:2d 
http://myserver.example.com/photos:write:1y”

How shall a standard compliant authz server parse that scope? And what 
is the resource server part? The host part only or everything up to the 
last '/'?
BTW: This example assumes ':' as internal delimiter between resources, 
permissions and durations.

In my opinion, in order to support the use case I described, we have to 
come up with a more detailed specification of the syntax and semantics 
of scopes.

What do you think?

regards,
Torsten.

[OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Luke Shepard
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Wolfgang.Steigerwald
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? David Recordon
Re: [OAUTH-WG] resource server id needed? Andrew Arnott
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler