IETF Logo Mail Archive

Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?

"William Mills" <wmills@yahoo-inc.com> Thu, 24 June 2010 17:17 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA11E3A69DE for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 10:17:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.075
X-Spam-Level:
X-Spam-Status: No, score=-17.075 tagged_above=-999 required=5 tests=[AWL=0.524, BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWHXiyq7iLcs for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 10:17:16 -0700 (PDT)
Received: from mrout1.yahoo.com (mrout1.yahoo.com [216.145.54.171]) by core3.amsl.com (Postfix) with ESMTP id 7669D3A6A26 for <oauth@ietf.org>; Thu, 24 Jun 2010 10:17:13 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o5OHFe90044892; Thu, 24 Jun 2010 10:15:40 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:content-transfer-encoding:subject:date:message-id: in-reply-to:x-ms-has-attach:x-ms-tnef-correlator:thread-topic: thread-index:references:from:to:cc:return-path:x-originalarrivaltime; b=rWgFOD2W6AcrDt63iCZ/f9/oHxgMgP1k+xL3+m/C/FWgYOjM+kzlSZQd0UIZaW4z
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 24 Jun 2010 10:15:40 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 24 Jun 2010 10:15:06 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B663D@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4502869858@FIESEXC015.nsn-intra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
Thread-Index: AcsTcbz92OrLiBAWTqqVkquX92WR0QAGETTQAA1kINA=
References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net><E7A7F197-3BBC-43F2-8242-D0164057A39A@gmail.com><AANLkTild51WHVcXxYFCygL8sGSGiN3HILDFwIbym6Lfi@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4502869858@FIESEXC015.nsn-intra.net>
From: William Mills <wmills@yahoo-inc.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, ext Lukas Rosenstock <lr@lukasrosenstock.net>, Dick Hardt <dick.hardt@gmail.com>
X-OriginalArrivalTime: 24 Jun 2010 17:15:40.0455 (UTC) FILETIME=[DEE77370:01CB13C0]
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2010 17:17:17 -0000

I'm in favor of having a spaces separated list of tokens.  The only case I can think of where the client needs to handle the scope as anything other than opaque is when it is accessing multiple services.  To reduce the numebr of login events the client will have to poll all the endpoints it wants to access and get all the scopes advertized by them and submit them all, and once it has them it needs to submit all of them in it's auth request, so we need something that's easy for the client to put together.


-bill

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] 
> On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
> Sent: Thursday, June 24, 2010 3:58 AM
> To: ext Lukas Rosenstock; Dick Hardt
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
> 
> The question is whether one would ever want to have a 
> standardized semantic for the scope parameter. 
> If the answer to that question is "no" then it does not 
> matter what the format is. It can well be a list of  
> space-delimited strings (as it is currently defined). 
> 
> An evironment specific semantic works well in cases where 
> entity X sets the value and later it receives the value 
> again. Only entity X needs to understand what it means.
> 
> In some environments the use case is slightly different, 
> namely entity X and entity Y are from the same organization 
> and agree on the semantic. Usage of OAuth within an 
> enterprise might be such a case. 
> 
> Now, the usage of the scope parameter is, however, a bit 
> different in the spec. Section 4, for example, describes how 
> a client obtains an access token. How does the client know 
> what scope parameters to set and what the semantic is?
> 
> Ciao
> Hannes
> 
> > -----Original Message-----
> > From: ext Lukas Rosenstock [mailto:lr@lukasrosenstock.net]
> > Sent: Thursday, June 24, 2010 10:49 AM
> > To: Dick Hardt
> > Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG
> > Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
> > 
> > Wasn't there some concensus that URIs would be good for scope? They 
> > have "in-built namespacing" ...
> > 
> > Lukas
> > 
> > 2010/6/23 Dick Hardt <dick.hardt@gmail.com>:
> > >
> > > On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN -
> > FI/Espoo) wrote:
> > >
> > >> "
> > >>   scope
> > >>         OPTIONAL.  The scope of the access request
> > expressed as a list
> > >>         of space-delimited strings.  The value of the
> > "scope" parameter
> > >>         is defined by the authorization server.  If the
> > value contains
> > >>         multiple space-delimited strings, their order does
> > not matter,
> > >>         and each string adds an additional access range to the
> > >>         requested scope.
> > >> "
> > >>
> > >> Do folks think it would be useful to have standardized values?
> > >
> > > Not at this time. The semantics of scope are all over the
> > place. If standardized, people will feel they need to pick 
> one that is 
> > close to what they want, but is not exactly what they mean. 
> I think it 
> > is better for the AS to define what they mean by a scope 
> and give it a 
> > name that makes sense in that context.
> > >
> > >>
> > >> If the answer is "yes", then it would be useful to
> > differentiate the
> > >> standardized values from those values that are purely
> > defined locally by
> > >> the authorization server.
> > 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.43.4 | Report a Bug | By Email | System Status