Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

William Mills <> Tue, 10 January 2012 00:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5BA0B11E809B for <>; Mon, 9 Jan 2012 16:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.288
X-Spam-Status: No, score=-17.288 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g3hmIJA6TV3i for <>; Mon, 9 Jan 2012 16:53:11 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id E8CE411E8080 for <>; Mon, 9 Jan 2012 16:53:10 -0800 (PST)
Received: from [] by with NNFMP; 10 Jan 2012 00:53:07 -0000
Received: from [] by with NNFMP; 10 Jan 2012 00:53:07 -0000
Received: from [] by with NNFMP; 10 Jan 2012 00:53:07 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 17141 invoked by uid 60001); 10 Jan 2012 00:53:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1326156786; bh=gEPf2b6Aqa9I8xJVkgtWbLxZpJ55jRcpAyTrtdsyOcM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=DXCcQIMTGQ167ciZOel3JOyH086RSlMLOp//aqGQ0SW3QXIR3STnwvzUrlPAQn4k4yxBIoei+r+QVCmDv0qjSu2bSzT00al6zsq4pq1kUj4Rix3VON8H9jgiCdPxKWLjNd7nc9PQOf1zIii+dUVsw99IqTNHU4GLqtGizbSKxcM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Ob2++AidifAcpklz2VIeOQOz2Km3eqFi2gGPHgugZm4MCPbI5cVz08VCqk2a+w8nlOnAmCWubeWO/r0fagBIQFKOsfZlOgkYI7OjkvKMdFDqoXiuxPfl3MZYoEuqy0ebF7RXilFIq4t6NPefXwoiuB84XmbsqTChPtqMkhhfCrw=;
X-YMail-OSG: LVZVf1QVM1mBhlHp4hhUuUe2mBK23NWC3xlyypH02JtYhoh plTmpeWHycbNLtgEMOb2QHHUhI10JeJW1sgAa4kpJe69euq12s3Smwf20Woh Su28gpEQjYikRICWp.eaIpRUwIqiBEzAg5BnOtX2jHFc4D1SG7NI4VSgyv4e m9hyGgfjSMJRti1ExtHmr99NbugHWNrhQT0xOvZFz1COy8qDU4jUBOb6tJau hKt0BDMb5wIXvJNCDhDP7zbgmwFdX9OZXL0cAjjcVC_4XQZZUuAxGDzIkzO5 gNu8M9PMUvJA0k_EHe0JXuNwEHsmxVkbOJVGsseYfcwOqsRR7twXExMEq0Rk _WmQXpafDNIMmg3DA..z9_4iBo6xFYzMVNEu.5jceOZ.YHEQ87mgeFLoKZ2d .rzHmJOJTQZ3ksELZQXF_0MUlQNRRWYEU2nwZPlzYmzAqnH8oQIjw0kxNqTX jt5AdPoyX8OSPwV1X6rIKRrW5bGaO4yCFpw4u3.f6TYYUpdwsncXHd4mQBcL tRLFBsTXt967bgC5olo_DAKAp1RC5fDZds8gn0gaplYudeFfGlG9ywOQKtxP Bul1ee.AfoCNCXIjlLdYe7xCpQq0emRn9_Nug
Received: from [] by via HTTP; Mon, 09 Jan 2012 16:53:06 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <> <> <> <>
Message-ID: <>
Date: Mon, 09 Jan 2012 16:53:06 -0800
From: William Mills <>
To: agks mehx <>, SM <>, Eran Hammer <>, "" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-83657671-1326156786=:88572"
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Jan 2012 00:53:12 -0000

There are definitely use cases for un-scoped credentials, which the implementations I have seen implement as an empty scope.  Are you worried specifically about the scope parameter in the HTTP requests, or as represented in the credential used to access the PR?

 From: agks mehx <>
To: SM <>; Eran Hammer <>; 
Sent: Monday, January 9, 2012 4:17 PM
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

Hi SM and Eran,

I am confused again, after re-reading Eran's response, whether or not an implementation that rejects *missing* (as opposed to empty) scope is conformant or not.  (Eran, your response was a bit ambiguous on whether an implementation is free to error out on an missing scope parameter or not -- I can clearly see it is free to error out on an empty scope parameter, but that's a different situation than the one I am concerned about.)

The vendor definitely gives a higher priority to claiming conformance and I believe they would change their implementation, but they believe they are conformant.

I do feel the IETF Working Group should make this part of the spec less ambiguous -- why not just make 'scope' REQUIRED and end the misery?  Or, make it clear that an implementation is not conformant to the spec if it requires optional parameters?

Additionally, I will resend a use-case for the no-scope parameter because my earlier reply unintentionally went privately to Eran and not to the list:

I can suggest a spec modification that says that an implementation MUST accept a request without a scope parameter, in which case one possibility for an implementing server is to return an access token or code that does not allow any operations.  The purpose of this otherwise "useless" token/code is that the OAuth server confirms that the user is *some* user without any information on *which* user it is.  (If the user is not authenticated by the vendor then of course no valid token/code is returned.)

An example might help:  Facebook, when it started, would manage social networks based on college email domain --, etc.  Facebook used to do it by asking for your email address and sending a confirmation mail.  But what if I wanted to tell Facebook just the fact that I was at but I did not want to share my email address with Facebook, or any other unique identifier?  If the spec required implementations to work without a scope parameter, it would solve this use case perfectly.  Facebook wouldn't really care about my school email address or unique id -- I could use my non-school personal email and all Facebook wanted to know was whether I should be in that school network or not simply by using the barebones no-scope OAuth request.

Vendors do not lose anything if the spec requires such no-scope requests to be fulfilled. They are merely confirming that a user is *some* user with the user's consent.  There are valid cases on the client side such as determining network membership without needing network identity.  And it cleans out the optional semantics of scope.

Users win in that they have a way to confirm network membership without having to reveal a unique identifier.

Clients win in that users will be more willing to confirm network membership if they are not also required to reveal a unique identitfier.

This is off-the-cuff but I will be very happy to formalize it and present it to the list.  I hope the essential concept made it through my writing!


On Mon, Jan 9, 2012 at 3:47 PM, SM <> wrote:

>At 15:14 09-01-2012, agks mehx wrote:
>Thank you for the response.  If I understand correctly, the vendor is correctly that their implementation conforms to the specification even though it rejects requests that do not specify the scope parameter.  That answers my question.
The better answer is from Eran ( ).
>Whether I was asking for (i) a clarification; or (ii) trying to resolve a disagreement.  I think I was trying to verify whether indeed there was a disagreement. I. e. whether my understanding of the specification was correct or not.  It seems I was mistaken in understanding the spec.
See comment below.
>There is no disagreement with the vendor at this point because the two responses from this list indicate that the vendor is right.  (I still don't understand why scope isn't made a required parameter in the specification so that such confusion can be avoided, but that's a minor point.)
You locked in on the term "optional" without going into the details of the draft.  I would not claim conformance with a specification if my API specifies that the optional parts are required as someone writing an implementation from the draft will run into the same problem as you.  Saying that the vendor is wrong will not get them to fix it.

OAuth mailing list