Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 27 January 2016 17:11 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C751A903F for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 09:11:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPXtoNe77gD4 for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 09:11:38 -0800 (PST)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 108FD1AC3E4 for <oauth@ietf.org>; Wed, 27 Jan 2016 09:11:37 -0800 (PST)
Received: by mail-wm0-x235.google.com with SMTP id l65so153362468wmf.1 for <oauth@ietf.org>; Wed, 27 Jan 2016 09:11:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=A0aboqr8/ULpGYJF2qjdcxxTz7ZtdcSXyh71OPokxwE=; b=0mspp7W0gFfDuMRBGRAdwWwCQRb4Fu98Voi06j5GuG2ifaTLyLVj4rMGyGay8PDfNN AIylcB/E47MM68XmM/PYr1PYtc8PbypsuS8Mckg4XdpBbFKU99rq1E1+aezyJTdmYGoj 9c4v0i5wOkNIGJiprBXlJ3tUe/OqBT2fvXwgmQpNjW8REo1FUGZdXmD5hUXaySwraQmZ c2+0hN7k++JgkP15ZFcHfBioUAiFi8rjMstoFOw0mcjex53c9sSplgWG+iJR017Buu05 e3VXEDSqYygR+bkcc7CyPWylBBwLOYAgM4lhKap8svs+RBr7nKTQ6ps5WEteHXyRgjIK P5oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=A0aboqr8/ULpGYJF2qjdcxxTz7ZtdcSXyh71OPokxwE=; b=KqaaJFaxJYUBnUs4zmzYK5kFfkK0VqqTqXnaFkAlfMUPLjNNUkfwq1xBi80Q9YV/Qh t0vPTDYvv4cKs+jbGO4O73Sc0aV3AY40Oq28RdltcNWaS/T/by0kCYBqO0OMY3OR1lPU iyUZD5lheEZz21u+OZnVj4fuQZNE49GLoRa3+Tkf27EjHfgDhyWNsbDyPQ2aLbjpcFwd 868fCbJnmN2XMOBaP67XNbAI2eAiDvA934tkkS64ophtytcxfcFODUgTo0swya4ArCV4 cGuJlPVj6EhKn8+I9+8JqlIpJ0FECGxK/ZbKnJyPcQRKYOjnT4bQQwPlQgHkZXVvtBnV 7o9g==
X-Gm-Message-State: AG10YORIPXyV1GgdqpsHbnkbF4svIU2SFSx5lraTf/3WKEn7Ueg2soLybSLPa78CHmQJJw==
X-Received: by 10.28.47.11 with SMTP id v11mr33864873wmv.27.1453914695600; Wed, 27 Jan 2016 09:11:35 -0800 (PST)
Received: from [10.36.226.98] ([80.169.137.63]) by smtp.googlemail.com with ESMTPSA id e198sm8622191wmd.0.2016.01.27.09.11.34 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 27 Jan 2016 09:11:34 -0800 (PST)
To: George Fletcher <gffletch@aol.com>, Thomas Broyer <t.broyer@gmail.com>, Justin Richer <jricher@mit.edu>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com> <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com> <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com> <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com> <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com> <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com> <56A8F3A5.8060002@aol.com> <56A8F612.7040208@aol.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56A8FA46.60807@gmail.com>
Date: Wed, 27 Jan 2016 17:11:34 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56A8F612.7040208@aol.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/SmNA-HPw3kqf2fR9rOFysaaNChc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 17:11:39 -0000
Hi George Thanks. I think I'll need to spend more time on thinking about the way it has to be implemented, but I guess one thing I realize is that using only access tokens as records for this purpose is not ideal/generic. That said, it is not clear to me that a per-instance level consent makes sense only when the dynamic registration is used. Suppose we have a statically registered client, with the client id shared between 100 devices or even confidential clients. I'm actually not sure how realistic it is that the same user works with more than one device sharing the same id, but assuming it is possible sometimes, and further, with incremental authentication in place, we can have a situation where while working on device1 a user has approved 'a' while on device2 - scope "b", with both devices sharing the same client id. May be I'm making it too complex :-) Thanks, Sergey On 27/01/16 16:53, George Fletcher wrote: > My recommendation, like the others, is to store consent by > client_id:user and then try and leverage dynamic client registration if > instance level consent is needed. > > On 1/27/16 11:43 AM, George Fletcher wrote: >> Yes, I was thinking mostly of "native apps"... though you bring up a >> good point. It would be great if "installable" web apps could do >> dynamic client registration:) I suppose for a "public" client that is >> loaded onto a device, the "installation" process could obtain a new >> client_id for that instance. Cookies might work, or have the app >> generate a unique identifier and use that in conjunction with the >> client_id? >> >> Thanks, >> George >> >> On 1/27/16 11:07 AM, Thomas Broyer wrote: >>> >>> >>> On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com >>> <mailto:gffletch@aol.com>> wrote: >>> >>> The difference might be whether you want to store the scope >>> consent by client "instance" vs client_id application "class". >>> >>> >>> Correct me if I'm wrong but this only makes sense for "native apps", >>> not for web apps, right? >>> (of course, now with "installable web apps" –e.g. progressive web >>> apps–, lines get blurry; any suggestion how you'd do it then? cookies?) >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/
- [OAUTH-WG] Can the repeated authorization of scop… Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Justin Richer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … William Denniss
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … Justin Richer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … William Denniss
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley