Re: [OAUTH-WG] Feedback on preliminary draft 11 from implementers of draft 10
David Primmer <primmer@google.com> Sat, 11 December 2010 01:57 UTC
Return-Path: <primmer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A10C43A6CBF for <oauth@core3.amsl.com>; Fri, 10 Dec 2010 17:57:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.574
X-Spam-Level:
X-Spam-Status: No, score=-109.574 tagged_above=-999 required=5 tests=[AWL=-0.403, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLpjNU8+F41s for <oauth@core3.amsl.com>; Fri, 10 Dec 2010 17:57:38 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 3FCE63A68B6 for <oauth@ietf.org>; Fri, 10 Dec 2010 17:57:38 -0800 (PST)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id oBB1x9mE027641 for <oauth@ietf.org>; Fri, 10 Dec 2010 17:59:09 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1292032750; bh=rs9OwdXHxCPg+uqGCC5DKrFV6zQ=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=VE940/hgHXVjSgr+gU/S5cYfy+xHJzDFjF3rUbFJOmG/6DSzrKIZYDySJ4gHW5V70 0cyoSMIXBkf40Ozgkfv9w==
Received: from qyk12 (qyk12.prod.google.com [10.241.83.140]) by wpaz1.hot.corp.google.com with ESMTP id oBB1x8Xc016640 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Fri, 10 Dec 2010 17:59:08 -0800
Received: by qyk12 with SMTP id 12so3915838qyk.12 for <oauth@ietf.org>; Fri, 10 Dec 2010 17:59:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=M6bNof9ceSHktJZnO3U1pA9WvY8Koo5JDzH6o1IlLgw=; b=kgsZMD/+vXBtx0RmJZB+hVHOkI9EjNkSau5ONx3BbYZbx4XRec/KS/XaOyzJmv617H EP4bqZ+UE6XeTsRpqh7g==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=tAGCuMEnZg8mkckQKfuz6qD/t7BncYtNbeS0vtUCr6+HcnZSOqlSuSt59phJxLI5QB fV+STA5Pl3tFyljpymUA==
Received: by 10.229.220.144 with SMTP id hy16mr1240952qcb.259.1292032747868; Fri, 10 Dec 2010 17:59:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.76.85 with HTTP; Fri, 10 Dec 2010 17:58:47 -0800 (PST)
In-Reply-To: <62D210BF-3FA7-4789-9382-5BCCE45C5F84@xmlgrrl.com>
References: <4E1F6AAD24975D4BA5B16804296739432461C3F9@TK5EX14MBXC201.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343D4B06532D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <62D210BF-3FA7-4789-9382-5BCCE45C5F84@xmlgrrl.com>
From: David Primmer <primmer@google.com>
Date: Fri, 10 Dec 2010 17:58:47 -0800
Message-ID: <AANLkTimmJB+OX-k7Z7qM83HD1LiUPOhOcS2QAcS+ad1T@mail.gmail.com>
To: Eve Maler <eve@xmlgrrl.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Feedback on preliminary draft 11 from implementers of draft 10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 01:57:39 -0000
-1 to separate parameters. I'd imagine every provider has the same issues as the ones you point out, however I don't think we should take another step toward complexity in this area. We've all managed to squeeze our resource access control semantics down into a single value and it usually requires some form of specific (I'd rather not call it "proprietary") formatting. I don't think there's any problem with defining what works for you there. And, I don't think we to get into XACML-like complexity around this 'scope' feature. It's a slippery scope slope. davep On Sat, Dec 4, 2010 at 7:42 PM, Eve Maler <eve@xmlgrrl.com> wrote: > A comment on Mike's comment on the idea of a "resource" parameter... > > On 24 Nov 2010, at 11:31 PM, Eran Hammer-Lahav wrote: > >> Thanks Mike! Comments inline. >> >>> Normative Issues >>> >>> 4.1, 4.2, 4.3.1, 5, 5.2, 5.3.1, 6.2, 6.2.1 "Scope" parameter should be paired with >>> complimentary "resource" parameter >> >> I am more inclined to drop 'scope' than to include 'resource'. Scope as currently defined can easily accommodate resource - we specifically chose space-delimited to allow URI values. If you want a new parameter, *you* will have to build consensus. Not wearing my editor hat, I'm -1. > > Over in UMA-land we've had to solve for this because our use cases anticipate protecting arbitrary resources, not just singular APIs, and because our loosely coupled resource server and authorization server components need to communicate about this stuff in an organized fashion. > > After many months of discussion, as well as UX and implementation work by various participants, in the last week we finally got consensus around having two parts (resource sets and actions, the latter being a close analogue to today's OAuth scopes) rather than a single flat scope namespace. The degenerate case could be very much like today's common practice, but we believe it handles a lot more use cases. > > There's still work to do to propagate information in this two-part form throughout the protocol flow (which is what Mike was directly suggesting), but at least we now have a conceptual foundation for doing that. If there is consensus here for adding a parameter, it would make UMA's life easier as we wouldn't have to invent anything weird and nonstandard. :-) > > See the "Resource Registration" spec link from our Working Drafts page for more info; if there's sufficient interest, we could contribute it as an IETF I-D soonish: > > http://kantarainitiative.org/confluence/display/uma/Working+Drafts > > Eve > > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Feedback on preliminary draft 11 from … Mike Jones
- Re: [OAUTH-WG] Feedback on preliminary draft 11 f… Eran Hammer-Lahav
- Re: [OAUTH-WG] Feedback on preliminary draft 11 f… Eve Maler
- Re: [OAUTH-WG] Feedback on preliminary draft 11 f… David Primmer