IETF Logo Mail Archive

Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 26 November 2010 20:25 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD8A528C108 for <oauth@core3.amsl.com>; Fri, 26 Nov 2010 12:25:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNdQbztAvSP5 for <oauth@core3.amsl.com>; Fri, 26 Nov 2010 12:25:49 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 5A65528C103 for <oauth@ietf.org>; Fri, 26 Nov 2010 12:25:48 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id oAQKQm7C012368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Nov 2010 14:26:48 -0600 (CST)
Received: from [135.244.32.195] (faynberg.lra.lucent.com [135.244.32.195]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAQKQjRD005996; Fri, 26 Nov 2010 14:26:46 -0600 (CST)
Message-ID: <4CF01805.7030607@alcatel-lucent.com>
Date: Fri, 26 Nov 2010 15:26:45 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 20:25:50 -0000

In the context of Martin's question (which concerns end-users 
understanding and resulting actions), I interpret the citation as 
follows: The end-user has no control over the value of the "scope" 
parameter, and, given that "it is defined by the authorization server," 
the end-user is not expected  even to understand this value. Granted, an 
implementation can of course fix this specific issue, but the standard 
does not address it.

Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by 
careful specification of the "scope" values in the future, but I know 
that 2.0 needs to be out and that it has high-priority items (such as 
security) to be dealt with right now. I don't want to delay 2.0 by 
suggesting drastic changes in the design decisions, so I am not harping 
on the seeming irrelevance of the end-user.

With the view of OAuth evolution though, I would like to see the whole 
token standardized, with the end-user having the overall control of the 
token--even if in the default situation it is still prepared by the 
authorization server-- with the ability to assign or change (or both) 
any value contained in it.

Igor


Eran Hammer-Lahav wrote:
> -10 4.2:
>
>    scope
>          OPTIONAL.  The scope of the access token as a list of space-
>          delimited strings.  The value of the "scope" parameter is
>          defined by the authorization server.  If the value contains
>          multiple space-delimited strings, their order does not matter,
>          and each string adds an additional access range to the
>          requested scope.  The authorization server SHOULD include the
>          parameter if the requested scope is different from the one
>          requested by the client.
>
> EHL
>
>   
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Martin Ley
>> Sent: Friday, November 26, 2010 12:41 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
>>
>> Dear list,
>>
>> perhaps I've overread it in the specification or it was not explicit about my
>> required scenario:
>>
>>
>> The Web-Server-Flow is used. An application requests data about the user.
>> The scopes are dateofbirth,isover18,address. Now the user is forwarded to
>> the authorization server to identify and authenticate and give permissions to
>> the applications. The user decides to give only permission for the isover18
>> scope but not dateofbirth and address.
>>
>> How would the application be notified about the granted scopes and the not
>> granted scopes?
>>
>> Best regards
>>
>> Martin
>>
>>
>> --
>> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
>> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID (VAT):
>> DE122264941
>>
>> Heilsbachstraße 24, 53123 Bonn,   Telefon: +49 228 52675-0
>> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
>> Internet: http://www.tarent.de/   Telefax: +49 228 52675-25
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>     
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email