Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 26 November 2010 20:25 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD8A528C108 for <oauth@core3.amsl.com>; Fri, 26 Nov 2010 12:25:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNdQbztAvSP5 for <oauth@core3.amsl.com>; Fri, 26 Nov 2010 12:25:49 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 5A65528C103 for <oauth@ietf.org>; Fri, 26 Nov 2010 12:25:48 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id oAQKQm7C012368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Nov 2010 14:26:48 -0600 (CST)
Received: from [135.244.32.195] (faynberg.lra.lucent.com [135.244.32.195]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAQKQjRD005996; Fri, 26 Nov 2010 14:26:46 -0600 (CST)
Message-ID: <4CF01805.7030607@alcatel-lucent.com>
Date: Fri, 26 Nov 2010 15:26:45 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 20:25:50 -0000
In the context of Martin's question (which concerns end-users understanding and resulting actions), I interpret the citation as follows: The end-user has no control over the value of the "scope" parameter, and, given that "it is defined by the authorization server," the end-user is not expected even to understand this value. Granted, an implementation can of course fix this specific issue, but the standard does not address it. Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by careful specification of the "scope" values in the future, but I know that 2.0 needs to be out and that it has high-priority items (such as security) to be dealt with right now. I don't want to delay 2.0 by suggesting drastic changes in the design decisions, so I am not harping on the seeming irrelevance of the end-user. With the view of OAuth evolution though, I would like to see the whole token standardized, with the end-user having the overall control of the token--even if in the default situation it is still prepared by the authorization server-- with the ability to assign or change (or both) any value contained in it. Igor Eran Hammer-Lahav wrote: > -10 4.2: > > scope > OPTIONAL. The scope of the access token as a list of space- > delimited strings. The value of the "scope" parameter is > defined by the authorization server. If the value contains > multiple space-delimited strings, their order does not matter, > and each string adds an additional access range to the > requested scope. The authorization server SHOULD include the > parameter if the requested scope is different from the one > requested by the client. > > EHL > > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Martin Ley >> Sent: Friday, November 26, 2010 12:41 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all >> >> Dear list, >> >> perhaps I've overread it in the specification or it was not explicit about my >> required scenario: >> >> >> The Web-Server-Flow is used. An application requests data about the user. >> The scopes are dateofbirth,isover18,address. Now the user is forwarded to >> the authorization server to identify and authenticate and give permissions to >> the applications. The user decides to give only permission for the isover18 >> scope but not dateofbirth and address. >> >> How would the application be notified about the granted scopes and the not >> granted scopes? >> >> Best regards >> >> Martin >> >> >> -- >> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH >> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID (VAT): >> DE122264941 >> >> Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 >> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30 >> Internet: http://www.tarent.de/ Telefax: +49 228 52675-25 >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Requesting mutliple scope, but user au… Martin Ley
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Eran Hammer-Lahav
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Nat Sakimura
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… David Primmer
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Justin Richer