IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Scope parameter

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Fri, 16 April 2010 13:40 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 708AE3A6AD2; Fri, 16 Apr 2010 06:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.114
X-Spam-Level:
X-Spam-Status: No, score=-3.114 tagged_above=-999 required=5 tests=[AWL=-0.556, BAYES_00=-2.599, MIME_BASE64_BLANKS=0.041]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2+Yv9nwRk6uT; Fri, 16 Apr 2010 06:40:31 -0700 (PDT)
Received: from mtagate4.uk.ibm.com (mtagate4.uk.ibm.com [194.196.100.164]) by core3.amsl.com (Postfix) with ESMTP id 7F9EA3A68EA; Fri, 16 Apr 2010 06:33:55 -0700 (PDT)
Received: from d06nrmr1806.portsmouth.uk.ibm.com (d06nrmr1806.portsmouth.uk.ibm.com [9.149.39.193]) by mtagate4.uk.ibm.com (8.13.1/8.13.1) with ESMTP id o3GDXkYE017409; Fri, 16 Apr 2010 13:33:46 GMT
Received: from d06av06.portsmouth.uk.ibm.com (d06av06.portsmouth.uk.ibm.com [9.149.37.217]) by d06nrmr1806.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o3GDXcci1245424; Fri, 16 Apr 2010 14:33:46 +0100
Received: from d06av06.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av06.portsmouth.uk.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o3GDXcq5015797; Fri, 16 Apr 2010 07:33:38 -0600
Received: from d06ml901.portsmouth.uk.ibm.com (d06ml901.portsmouth.uk.ibm.com [9.149.39.138]) by d06av06.portsmouth.uk.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id o3GDXcHI015786; Fri, 16 Apr 2010 07:33:38 -0600
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11257591E3F@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Lotus Notes Release 7.0 HF400 February 20, 2008
Message-ID: <OF70542F9E.35EC96CC-ON80257707.003656F0-80257707.004A7B66@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Fri, 16 Apr 2010 14:33:33 +0100
X-MIMETrack: Serialize by Router on D06ML901/06/M/IBM(Release 8.0.2FP2|June 22, 2009) at 16/04/2010 14:33:38
MIME-Version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: base64
Cc: OAuth WG <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Issue: Scope parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 13:40:33 -0000

I know we will control scope server side based on the calling client

 I can see why others may want to have a scope parameter though to allow a
client app to decrease the scope they request (assuming short duration
access), e.g. client app is entitled to request contacts and files based on
their client identifier but they only request contacts for some operation,
and the user feels more secure. Is this the main reason for scope?

James, how does your proposal work if the client needs access to more than
one set of resources?


Mark McGloin



                                                                           
             "Manger, James H"                                             
             <James.H.Manger@t                                             
             eam.telstra.com>                                              
             Sent by:                                                      
             oauth-bounces@iet                                             
             f.org                                                         
                                                                           
                                                                           
             16/04/2010 05:43                                              
                                                                           




      > So, let’s say there is an Authorization Server available at
      http://as.com and it protects the http://foo.com and http://bar.com
      resources.

      > A client requests  http://foo.com. The foo.com server responds with
      a WWW-Auth that contains the http://as.com URI. The client then sends
      an access token request to http://as.com. Is that right?

      > If so, then how does http://as.com know that the intended resource
      is http://foo.com?


Foo.com should point the client at, say, http://as.com/foo/ or
http://foo.as.com/ or http://as.com/?scope=foo or
http://as.com/?encrypted_resource_id=273648264287642 or whatever it has
agreed to with its AS.
The WWW-Auth response from foo.com should not be just http://as.com.
Foo is much better placed to know it shares as.com with Bar than a client
is.

--
James Manger_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email