Re: [OAUTH-WG] resource server id needed?

Marius Scurtescu <mscurtescu@google.com> Wed, 14 July 2010 22:37 UTC

DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=f7OfGqOmOf0BkGR0T78gRjg0OYYkDUZcYqueTsCMrbPZkCpcHXAGFM9gTmrgUbqwX mpqrsW+wjIEJ+ePPjlepQ==
MIME-Version: 1.0
In-Reply-To: <4C3E389D.5080300@lodderstedt.net>
References: <4C3E389D.5080300@lodderstedt.net>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 14 Jul 2010 15:37:16 -0700
Message-ID: <AANLkTilbBWMoMj5DIJ7IMYzlBGgZHni7xCYHyAzz_XK4@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] resource server id needed?
Precedence: list

On Wed, Jul 14, 2010 at 3:22 PM, Torsten Lodderstedt
<torsten@lodderstedt.net> wrote:
> I have a question concerning the OAuth philosophy: How many resource servers
> may be managed by a single OAuth authorization server? (a) A single resource
> server or (b) several of them exposing different resource types?
>
> If the answer is (b) then how is a particular resource server identified in
> the protocol? Clients have Ids, end-users as well (at least in a future
> protocol extension), but what about resource server Ids?
>
> I think resource servers must be identifiable in multi-server deployments
> for several reasons:
> - Interpretation of the scope parameter should be resource server specific -
> "read" may have different meanings in mail and address book
> - An authorization server probably wants to apply server-specific security
> policy, e.g. different access token durations
> - It will be possible to create special tokens per server
>
> I think we should introduce a resource server id in the authz and access
> token request.
>
> Any thoughts?

I think the scope fills this role. Scopes implemented as URIs, for
example, allow the authz server to map them to resource servers.

Marius

[OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Luke Shepard
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Wolfgang.Steigerwald
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? David Recordon
Re: [OAUTH-WG] resource server id needed? Andrew Arnott
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler