Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt
"Anganes, Amanda L" <aanganes@mitre.org> Fri, 28 December 2012 13:58 UTC
Return-Path: <aanganes@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5ACD21F88B5 for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2012 05:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.195
X-Spam-Level:
X-Spam-Status: No, score=-6.195 tagged_above=-999 required=5 tests=[AWL=-0.403, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ex4j9WQCadX2 for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2012 05:58:44 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D4F9221F87F9 for <oauth@ietf.org>; Fri, 28 Dec 2012 05:58:43 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D585A1F069C; Fri, 28 Dec 2012 08:58:42 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C33921F078D; Fri, 28 Dec 2012 08:58:42 -0500 (EST)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.200]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0318.004; Fri, 28 Dec 2012 08:58:42 -0500
From: "Anganes, Amanda L" <aanganes@mitre.org>
To: Eve Maler <eve@xmlgrrl.com>, Thomas Hardjono <hardjono@mit.edu>
Thread-Topic: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt
Thread-Index: Ac3kZ80uYlMMo4p2TFO+SThlSNMWiAAFVdwAAASuhzAADJMSAAAQUT6A
Date: Fri, 28 Dec 2012 13:58:41 +0000
Message-ID: <B61A05DAABADEA4EA2F19424825286FA1E673C27@IMCMBX04.MITRE.ORG>
In-Reply-To: <854169AF-9160-4C8F-AA31-54ED98C5E684@xmlgrrl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.5.121010
x-originating-ip: [172.31.37.53]
Content-Type: multipart/alternative; boundary="_000_B61A05DAABADEA4EA2F19424825286FA1E673C27IMCMBX04MITREOR_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2012 13:58:45 -0000
Hi Eve and Thomas,
On 12/27/12 8:11 PM, "Eve Maler" <eve@xmlgrrl.com<mailto:eve@xmlgrrl.com>> wrote:
Amanda, thanks for the lightning-fast comments back. A couple of additional notes on top of Thomas's response:
The "scope type" language is indeed new this time -- of course this whole modular spec is newly broken out, but the previous text from UMA's rev 05 still said "scope". (There's a new member in the JSON description of a resource set that is called "type", but this is actually the resource set's type: different thing.) Maybe this should just be changed back to "scope" and "scope description", as we really do mean the same construct as in plain OAuth, although here it's enhanced with a machine-readable description, and it's mappable to resource sets that have been explicitly identified. One thing we've been learning lately is that terminology impedance mismatches are not worth the cost; this one is a recent back-sliding. :)
I think it would make much more sense to stick with "scope" and "scope description". I assumed that you were trying to avoid collisions with OAuth by changing it, but it sounds like that is not the case.
There might be a better way to denote that these are enhanced scopes, but "type" isn't quite right for that as it does imply a class or kind of thing (to which many particular things might belong), rather than a special or enhanced particular thing.
Eve: Regarding the sentence "Without a specific resource set identifier path component, the URI applies to the set of resource set descriptions already registered." in Section 2.3: I suspect this can just be deleted entirely. It's redundant with the "List resource set registrations" bullet item just below, which literally shows the {rsid} component of the path being absent. This is the only supported method in this API that has no {rsid} path component.
Thomas: Resource set registration API: If Alice (the RO) has already previously registered some resources at the AS, then Alice will already have a PAT token (and the AS knows about Alice, her PAT, her resource sets and scopes). If Alice comes back again with the same PAT and forgets to specificy the path component, we assume the AS is smart enough to figure out which sets Alice is refering to. Does this help? (or does it still read weirdly).
These two explanations are very different. If Thomas's assessment is correct, I would move that explanatory text up to the end of the paragraph starting with "The authorization server MUST present an API…" and explain that the PAT can also be used to figure out the {rsid} for any requests where it is left off (implying that the {rsid} component MAY be left off of any of the following API calls). Otherwise if Eve is correct and that additional caveat is NOT meant to be there, I would suggest removing the phrase entirely as it does seem to imply that {rsid} may be left off.
Regarding {rsreguri}: I do see it defined, in this same Section 2.3. Basically this notation is simply a device to allow for referring to a "resource set registration endpoint" (defined in the Terminology section) in the URIs here that serve as method templates. Is there a better way to do this?
Yes, it is defined but not actually used to describe the API paths. The definition is fine but if it is there it should be used; for example the "Create resource set description" path should change from "PUT /resource_set/{rsid}" to "PUT {rsreguri}/resource_set/{rid}".
--Amanda
Eve
On 27 Dec 2012, at 4:37 PM, Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>> wrote:
Thanks Amanda,
- Scope and types: We went back and forth with regards to "scope type" and finally just used "type" with the assumption that the reader would know what we mean by it (ie. context dependent). However, we're very open to going back to the previous language.
- Resource set registration: yes that sentence does read weirdly, will fix :-)
- The {rsreguri} URI component is defined but never used: hmm yes you are correct. Will fix this.
Thank you again.
cheers,
/thomas/
__________________________________________
-----Original Message-----
From: Anganes, Amanda L [mailto:aanganes@mitre.org]
Sent: Thursday, December 27, 2012 4:57 PM
To: Thomas Hardjono; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW:
New Version Notification for draft-hardjono-oauth-resource-reg-00.txt
Hi Thomas,
Here is some initial feedback.
Introduction paragraph 2:
Remove duplicate "with": "the OpenID Provider (OP) component is a
specialized version of an OAuth authorization server that brokers
availability of user attributes by dealing *with with* an ecosystem of
attribute providers (APs)."
Section 1.2 Terminology:
This is more of a comment for the UMA WG in general: "scope type" is an
unfortunate term (which appears in the UMA core draft [1] as well - if
memory serves the term used to be just "scope" but I couldn't find a
diff reference for when that changed). Including "type" in the term
makes it sound like it refers to a class or kind of scope, which
doesn't seem to be what you mean. I understand that "scope" cannot be
used since it is already reserved by OAuth, but perhaps a better
synonym could be found and used instead?
2. Resource set registration
2nd sentence reads oddly. Change from "For any of the resource owner's
sets of resources this authorization server needs to be aware of, the
resource server MUST register these resource setsŠ" to "If this
authorization server needs to be aware of any of the resource sets, the
resource server MUST register those resource setsŠ"
2.2 Resource set descriptions
"scopes" and to refer to sets of "scope type"s and "type" to refer to
the class/kind of resource set this is add to the argument above that
"scope type" is a misleading term.
2.3 Resource set registration API
I don't understand what this sentence means: "Without a specific
resource set identifier path component, the URI applies to the set of
resource set descriptions already registered." Can you clarify?
The {rsreguri} URI component is defined but never used. It looks like
all of the "/resource_set" URIs should be prefaced with this component
throughout the following sections?
[1] https://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/
--
Amanda Anganes
Info Sys Engineer, G061
The MITRE Corporation
781-271-3103
aanganes@mitre.org<mailto:aanganes@mitre.org>
On 12/27/12 2:24 PM, "Thomas Hardjono" <hardjono@MIT.EDU<mailto:hardjono@MIT.EDU>> wrote:
Folks,
The OAuth 2.0 Resource Set Registration draft is essentially a generic
first phase of the User Managed Access (UMA) profile of OAuth2.0.
This
allows the RO to "register" (make known) to the AS the resources
he/she
wishes to share.
Looking forward to comments/feedback.
/thomas/
__________________________________________
-----Original Message-----
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> [mailto:internet-drafts@ietf.org]
Sent: Thursday, December 27, 2012 2:07 PM
To: Thomas Hardjono
Subject: New Version Notification for
draft-hardjono-oauth-resource-reg-00.txt
A new version of I-D, draft-hardjono-oauth-resource-reg-00.txt
has been successfully submitted by Thomas Hardjono and posted to the
IETF
repository.
Filename: draft-hardjono-oauth-resource-reg
Revision: 00
Title: OAuth 2.0 Resource Set Registration
Creation date: 2012-12-27
WG ID: Individual Submission
Number of pages: 19
URL:
http://www.ietf.org/internet-drafts/draft-hardjono-oauth-resource-reg-
00.t
xt
Status:
http://datatracker.ietf.org/doc/draft-hardjono-oauth-resource-reg
Htmlized:
http://tools.ietf.org/html/draft-hardjono-oauth-resource-reg-00
Abstract:
This specification defines a resource set registration mechanism
between an OAuth 2.0 authorization server and resource server. The
resource server registers information about the semantics and
discovery properties of its resources with the authorization
server.
The IETF Secretariat
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl
- [OAUTH-WG] OAuth 2.0 Resource Registration draft … Thomas Hardjono
- Re: [OAUTH-WG] OAuth 2.0 Resource Registration dr… Anganes, Amanda L
- Re: [OAUTH-WG] OAuth 2.0 Resource Registration dr… Thomas Hardjono
- Re: [OAUTH-WG] OAuth 2.0 Resource Registration dr… Eve Maler
- Re: [OAUTH-WG] OAuth 2.0 Resource Registration dr… Anganes, Amanda L
- Re: [OAUTH-WG] OAuth 2.0 Resource Registration dr… Eve Maler