IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

John Kemp <john@jkemp.net> Mon, 19 April 2010 21:58 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D00EB3A69D3 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.924
X-Spam-Level:
X-Spam-Status: No, score=-1.924 tagged_above=-999 required=5 tests=[AWL=0.341, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xa5wwp5kLxU for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:58:55 -0700 (PDT)
Received: from outbound-mail-313.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 93F053A69CE for <oauth@ietf.org>; Mon, 19 Apr 2010 14:58:55 -0700 (PDT)
Received: (qmail 3794 invoked by uid 0); 19 Apr 2010 21:58:47 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 19 Apr 2010 21:58:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=quthc+7Zzy33Q2bVzn31ZGm//FG3VKRGY+J3bDUNsd8jn5AO4KzDOnPHfEBhOSQTZFWXwcV07lbLx0GrDZqyLbj05H3KcycenpRoSiz5ps8kfFBbH3n4Ar2YxxngMkSI;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.103]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1O3yzO-0002uX-K7; Mon, 19 Apr 2010 15:58:47 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <C7F1D1FC.32809%eran@hueniverse.com>
Date: Mon, 19 Apr 2010 17:58:44 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net>
References: <C7F1D1FC.32809%eran@hueniverse.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 21:58:56 -0000

On Apr 19, 2010, at 12:25 PM, Eran Hammer-Lahav wrote:

> Proposal:
> 
> 'scope' is defined as a comma-separated list of resource URIs or resource
> groups (e.g. contacts, photos).

So, 'scope' at the authenticating (via OAuth) server is simply a list of one or more URIs? There are no defined, interoperable, semantics that a server should use here - is that correct?

> The server can provide a list of values for
> the client to use in its documentation, or the client can use the URIs or
> scope identifier of the protected resources it is trying to access (before
> or after getting a 401 response).
> 
> For example:
> 
> 1. Client requests resource
> 
>    GET /resource HTTP/1.1
>    Host: example.com
> 
> 2. Server requires authentication
> 
>    HTTP/1.1 401 Unauthorized
>    WWW-Authenticate: Token realm='Example', scope='x2'

No (implied or otherwise) relationship between the realm and the scope? 

The scope doesn't have to match the base URI of the resource which the client tried and got the 401 from?

> 
> 3. Client requests an access token by including scope=x2 in the request
> 
> Alternatively, the client can ask for an access token with
> scope=http://example.com/resource.
> 
> If the client needs access to two resource with different scopes, it
> requests an access token for scope=x2,x1.

Is the "effective" scope a URI, or a list of URIs?

> 
> That's it!
> 
> It allows the client to figure out what value to put in the scope parameter

It doesn't tell the client where to go to get a token related to that scope (nor should it). 

> and how to encode multiple scopes without any server-specific documentation.
> Servers that wish to rely exclusively on paperwork can just omit the scope
> parameter from the WWW-Authenticate header.

I think that there is much that is unspecified in this model and thus it doesn't provide much interoperability. If we don't tell the client what to do with the scope, and we don't specify what a server means by supplying a scope, I'm not sure what the point is to specifying this at all as clients will still need some documentation or be hard-coded (which token service do I get such a token from?) 

What am I missing here?

Cheers,

- johnk

> 
> We can pick a different separator (space, semicolon, etc.) or different
> parameter name (resource(s)).
> 
> EHL
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email