Re: [OAUTH-WG] Indicating sites where a token is valid

"Manger, James H" <James.H.Manger@team.telstra.com> Sat, 15 May 2010 00:57 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF8C23A6900 for <oauth@core3.amsl.com>; Fri, 14 May 2010 17:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.492
X-Spam-Level: *
X-Spam-Status: No, score=1.492 tagged_above=-999 required=5 tests=[AWL=-0.207, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuPFr2BWYw6O for <oauth@core3.amsl.com>; Fri, 14 May 2010 17:57:12 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by core3.amsl.com (Postfix) with ESMTP id 96C3B3A68F6 for <oauth@ietf.org>; Fri, 14 May 2010 17:57:12 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.53,234,1272808800"; d="scan'208";a="2695958"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipoavi.tcif.telstra.com.au with ESMTP; 15 May 2010 10:57:01 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5982"; a="1953823"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipcdvi.tcif.telstra.com.au with ESMTP; 15 May 2010 10:57:01 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) with mapi; Sat, 15 May 2010 10:57:01 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Brian Eaton <beaton@google.com>
Date: Sat, 15 May 2010 10:56:59 +1000
Thread-Topic: [OAUTH-WG] Indicating sites where a token is valid
Thread-Index: AcrzfILQmFvu/NxMRtano6QubI26+gASKnzg
Message-ID: <255B9BB34FB7D647A506DC292726F6E112634F5A93@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62@IMCMBX3.MITRE.ORG> <AANLkTilkUA9i-WZPv8PqPsxiJf5_1SuiCb_GOTdcwtPX@mail.gmail.com> <AANLkTilNNyKvpbzCYfc__AvY1rJKqXE7KN8VL-m_CF-L@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112633D9594@WSMSG3153V.srv.dir.telstra.com> <AANLkTim0PNhUJAi1ZuDjB8feKh2Sb_OMoNz7AlDTYO6P@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112634655A4@WSMSG3153V.srv.dir.telstra.com> <AANLkTil7gTRNmqTAwsvFEdMLmlgeakpy8o1wyPTcTbLF@mail.gmail.com> <AANLkTinPiCBvtnTW_m3bSUhB_OOK4ZD6JFjquECDMCi6@mail.gmail.com>
In-Reply-To: <AANLkTinPiCBvtnTW_m3bSUhB_OOK4ZD6JFjquECDMCi6@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 May 2010 00:57:13 -0000

Brian,

>> Consider a generic search spider tool that you point at
>> http://calendar.serviceprovider.com/calendar/get. It can do its job with no
>> knowledge about what "calendar.get" means -- but it still needs to know (as
>> it spiders along) when it is safe to expose the token.

> I'm a bit confused by this example.
>
> James, can you explain what you mean by "generic search spider tool"?

A tool that builds a search index.
You point it a URI; it fetches the content; indexes it; follows any links in the content to more content; indexes that; and continues.
The tool understands HTTP; it knows how to find links in common media types (<a href=...>, <link ...>, etc); but it doesn't have much API-specific knowledge (it doesn't know or care if it is indexing a calendar, a personal blog, a social graph, a doc repository, all of the above etc).

If some of the content requires user consent to access (ie returns WWW-Auth.: Token user-uri="..."), the tool performs an OAuth flow and continues.

The tool needs some rule so it doesn't try to index the whole Internet. For example: index at most 500 pages; download no more than 10MB; finish in 5 min; only following links to a depth of 3; stay within example.com. This rule does not necessarily have anything to do with any security boundaries.


The crucial features of the tool are that it knows enough about HTTP and data formats to follow redirects & links; but it doesn't have service-specific knowledge to know understand service-specific scopes (eg "calendar.get") or the boundaries of specific APIs.

There are lots of tools in this category. It matches the architecture of the web.

Other examples of such tools might be:
* a backup tool -- point it at your atom feeds and it copies the content (and the linked stylesheets, scripts, images...)
* perhaps cURL -- do anything on the web
* a web browser

I hope this clears some confusion.

--
James Manger