Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax

Todd W Lainhart <> Mon, 04 February 2013 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 94BFB21F89A4 for <>; Mon, 4 Feb 2013 11:03:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.48
X-Spam-Status: No, score=-10.48 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UJQz2bRBfM25 for <>; Mon, 4 Feb 2013 11:03:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1A79B21F899E for <>; Mon, 4 Feb 2013 11:03:50 -0800 (PST)
Received: from /spool/local by with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <> from <>; Mon, 4 Feb 2013 14:03:49 -0500
Received: from ( by ( with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 4 Feb 2013 14:03:46 -0500
Received: from ( []) by (Postfix) with ESMTP id CC02338C805C for <>; Mon, 4 Feb 2013 14:03:44 -0500 (EST)
Received: from ( []) by (8.13.8/8.13.8/NCO v10.0) with ESMTP id r14J3idL286788 for <>; Mon, 4 Feb 2013 14:03:44 -0500
Received: from (loopback []) by (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r14J3hjH028340 for <>; Mon, 4 Feb 2013 14:03:44 -0500
Received: from ( []) by (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r14J3hDP028337; Mon, 4 Feb 2013 14:03:43 -0500
In-Reply-To: <00e101ce0309$21303700$6390a500$>
References: <> <> <> <> <B33BFB58CCC8BE4998958016839DE27E06885FEC@IMCMBX01.MITRE.ORG> <00e101ce0309$21303700$6390a500$>
To: Donald F Coffin <>
MIME-Version: 1.0
X-KeepSent: 08220115:29CA2A02-85257B08:00682B7C; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP2 SHF22 July 19, 2012
Message-ID: <>
From: Todd W Lainhart <>
Date: Mon, 04 Feb 2013 14:03:36 -0500
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF4|December 14, 2012) at 02/04/2013 14:03:42, Serialize complete at 02/04/2013 14:03:42
Content-Type: multipart/alternative; boundary="=_alternative 0068B32985257B08_="
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13020419-7182-0000-0000-000004ED57B2
Cc: John Adkins <>, Marty Burns <>, Scott Crowder <>, Dave Robin <>, John Teeter <>,, Edward Denson <>, 'IETF oauth WG' <>, Uday Verma <>, Ray Perlner <>, Anne Hendry <>, Lynne Rodoni <>
Subject: Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2013 19:03:52 -0000

If we're tallying votes, I'll re-state my position that I'm also in favor 
of using the scope syntax definition per 6749 - otherwise it is confusing 
when writing guidance documentation. 

If supporting JSON array syntax is important for this response value, 
Don's suggestion of introducing a new response parameter seems a good 

From:   "Donald F Coffin" <>
To:     "'Richer, Justin P.'" <>, Todd W 
Cc:     "'IETF oauth WG'" <>, "Anne Hendry" 
<>, "Dave Robin" <>, "Edward 
Denson" <>, "John Adkins" <>, "John Teeter" 
<>, "Lynne Rodoni" 
<>, "Marty Burns" <>, 
<>, "Ray Perlner" <>, "Scott 
Crowder" <>, "Uday Verma" 
Date:   02/04/2013 01:56 PM
Subject:        RE: [OAUTH-WG] draft-richer-oauth-introspection-01 scope 

I am involved with the OpenESPI and OpenADE Task Force within the Smart 
Grid Interoperability Panel (SGIP) which was established to engage 
stakeholders from the Smart Grid Community in a participatory public 
process to identify applicable standards, gaps in currently available 
standards, and priorities for new standardization activities for the 
evolving Smart Grid. The SGIP supports the National Institute of Standards 
and Technology (NIST) in fulfilling its responsibilities under the 2007 
Energy Independence and Security Act.  My particular function is to chair 
the OpenESPI OAuth sub-committee which is chartered with the integration 
of the OAuth 2.0 Protocol and the ESPI Standard.
Since OAuth 2.0 (RFC6749) has already established “scope” is a 
space-separated string, it will be very confusing to implementers to no 
define “scope” as a JSON array.  While a JSON array may be what the 
current space-separated string is converted into when the application is 
written using Java or one of its variants, there are other programming 
languages that implementers may select to use.  Having to deal with two 
methods of handling a “scope” response will require additional logic and 
merely complicate the coding task.
Additional OAuth 2.0 specifications should not redefine data elements that 
are already defined by RFC6749. Implementers should be able to rely on 
data element definitions within RFC6749 being persistent throughout the 
OAuth protocol framework.  If the OAuth introspective WG feels “scope” 
should be a JSON array, then the WG should define a new data element 
rather than changing the definition of an existing data element already 
defined by RFC6749.
Best regards,
Donald F. Coffin
REMI Networks
22751 El Prado Suite 6216
Rancho Santa Margarita, CA  92688-3836
Phone:      (949) 636-8571
From: Richer, Justin P. [] 
Sent: Monday, February 04, 2013 8:24 AM
To: Todd W Lainhart
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax
I got the same reading of the list as you, and I could go either way. I 
believe we absolutely must pick one or the other though. 
If anyone has thoughts on the matter one way or the other, please speak 
up. The options are:
1) scopes are returned as a JSON array (current introspection text)
2) scopes are returned as a space-separated string (rfc6749 format for the 
"scope" parameter)
 -- Justin
On Feb 4, 2013, at 10:06 AM, Todd W Lainhart <>

Has there been any thinking or movement as to whether the scopes syntax 
stands as is, or aligns with 6749?  Of the folks who chose to respond, it 
seemed like the position was split.

From:        Justin Richer <> 
To:        Todd W Lainhart/Lexington/IBM@IBMUS, 
Cc:        IETF oauth WG <> 
Date:        01/30/2013 05:34 PM 
Subject:        Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope 

I should add that this is also a bit of an artifact of our implementation. 
Internally, we parse and store scopes as collections of discrete strings 
and process them that way. So serialization of that value naturally fell 
to a JSON list.

-- Justin

On 01/30/2013 05:29 PM, Justin Richer wrote: 
It's not meant to follow the same syntax. Instead, it's making use of the 
JSON object structure to avoid additional parsing of the values on the 
client side.

We could fairly easily define it as the same space-delimited string if 
enough people want to keep the scope format consistent.

-- Justin

On 01/30/2013 05:27 PM, Todd W Lainhart wrote: 
That the scope syntax in draft-richer-oauth-introspection-01 is different 
than RFC 6749 Section 3.3, as in: 

  "scope": ["read", "write", "dolphin"], 


 scope = scope-token *( SP scope-token )
    scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) 

Should introspection-01 follow the 6749 syntax for scopes?

OAuth mailing list

OAuth mailing list