IETF Logo Mail Archive

Re: [OAUTH-WG] semantics of scope parameter

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 28 June 2010 06:10 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B6A43A698A for <oauth@core3.amsl.com>; Sun, 27 Jun 2010 23:10:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.923
X-Spam-Level:
X-Spam-Status: No, score=-0.923 tagged_above=-999 required=5 tests=[AWL=-1.013, BAYES_05=-1.11, J_CHICKENPOX_74=0.6, J_CHICKENPOX_75=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfaTOjFNMjJW for <oauth@core3.amsl.com>; Sun, 27 Jun 2010 23:10:20 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 49E913A698B for <oauth@ietf.org>; Sun, 27 Jun 2010 23:10:20 -0700 (PDT)
Received: (qmail 29288 invoked from network); 28 Jun 2010 06:10:29 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 28 Jun 2010 06:10:29 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sun, 27 Jun 2010 23:10:29 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Sun, 27 Jun 2010 23:10:29 -0700
Thread-Topic: [OAUTH-WG] semantics of scope parameter
Thread-Index: AcsWhjkvOkkXfhgRRESj3hMAvQT4BgAAWF1Q
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84AE9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <085C731D-5C07-422C-AC53-1C50CF6D9984@gmail.com>
In-Reply-To: <085C731D-5C07-422C-AC53-1C50CF6D9984@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] semantics of scope parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2010 06:10:22 -0000

First, there is nothing preventing the server from using:

scope=photos:read profile:read friends:read

or:

scope=photos:read profile:readwrite friends:write

---

I think the current language strikes the right balance between interop and scopes definitions. While a generic client will not understand the meaning of each scope, it will be able to tell that "x y" is the same as "y x", that "x y" includes both "x" and "y", and that if it asked for "x y" and was told it needs "y z", it can ask for "x y z" and use it as a replacement of the "z y" token.

Being able to manipulate scope values is essential to accomplish interop. Without that, there is little value in defining any internal structure, and if that is the case, I still maintain that there is no value in defining the entire parameter. The current language is a workable compromise that helps libraries and developers, and does not restrict service providers from defining their own scope syntax (as long as they don't use spaces to mean something else).

For example:

scope=photos,profile,friends,readwrite

is perfectly valid, but treated by a generic client as one opaque scope.

EHL


> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Dick Hardt
> Sent: Sunday, June 27, 2010 10:49 PM
> To: OAuth WG (oauth@ietf.org)
> Subject: [OAUTH-WG] semantics of scope parameter
> 
> The current spec defines scope (when the scope variable is introduced) as:
> 
>    scope
>          OPTIONAL.  The scope of the access request expressed as a list
>          of space-delimited strings.  The value of the "scope" parameter
>          is defined by the authorization server.  If the value contains
>          multiple space-delimited strings, their order does not matter,
>          and each string adds an additional access range to the
>          requested scope.
> 
> I think the last phrase is adding semantics that may not be true, and that the
> following is more accurate:
> 
>    scope
>          OPTIONAL.  The scope of the access request expressed as a list
>          of space-delimited strings.  The value of the "scope" parameter
>          is defined by the authorization server.  If the value contains
>          multiple space-delimited strings, their order does not matter.
> 
> A authorization server may define some scope parameters that add
> restrictions to the access rather than are additive. For example, scope could
> be defined by an AS as one or more resources (PHOTOS PROFILE FRIENDS)
> and the type of access (READ WRITE READWRITE)
> 
> -- Dick
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.40.3 | Report a Bug | By Email | System Status