Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request

Justin Richer <jricher@mitre.org> Mon, 13 February 2012 16:15 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D4121F869D for <oauth@ietfa.amsl.com>; Mon, 13 Feb 2012 08:15:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level:
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kjTKnWwfGT5 for <oauth@ietfa.amsl.com>; Mon, 13 Feb 2012 08:15:02 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 3094D21F86C9 for <oauth@ietf.org>; Mon, 13 Feb 2012 08:15:02 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C7E2521B00C3; Mon, 13 Feb 2012 11:15:01 -0500 (EST)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 99AD621B0404; Mon, 13 Feb 2012 11:15:01 -0500 (EST)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 13 Feb 2012 11:15:01 -0500
Message-ID: <4F3936AF.90402@mitre.org>
Date: Mon, 13 Feb 2012 11:13:35 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20120129 Thunderbird/10.0
MIME-Version: 1.0
To: Andrew Arnott <andrewarnott@gmail.com>
References: <CAE358b4yTtRXqsz-p+o_F=cj4a-JChWvn8RJ-j169ckQaq6sEw@mail.gmail.com>
In-Reply-To: <CAE358b4yTtRXqsz-p+o_F=cj4a-JChWvn8RJ-j169ckQaq6sEw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050609050907030902070608"
X-Originating-IP: [129.83.31.51]
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 16:15:03 -0000

In most cases, it will likely be a fixed value, but there's nothing 
indicating that it can't be contextual. Especially in cases where you've 
got public, confidential, and dynamically-registered clients all acting 
on the same host, the default value will depend completely on what kind 
of client is asking.

Really, this is a way of saying "scope is up to the AS", which it is, 
even if the client asks for something else.

  -- Justin

On 02/12/2012 11:44 PM, Andrew Arnott wrote:
> From section 3.3 (draft 23):
>
>     If the client omits the scope parameter when requesting
>     authorization, the authorization server MUST either process the
>     request using*a pre-defined default value*, or fail the request
>     indicating an invalid scope. The authorization server SHOULD
>     document its scope requirements and default value (if defined). 
>
>
> Is this saying that the pre-defined default value must be a FIXED 
> value for all clients and all grants?  Or might the predefined default 
> value actually be a derivation of the grant? (for example, by default 
> the access token scope is simply the maximum scope allowed by the grant)
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the 
> death your right to say it." - S. G. Tallentyre
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth