IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Scope parameter

Marius Scurtescu <mscurtescu@google.com> Fri, 16 April 2010 04:42 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F8AB3A6804 for <oauth@core3.amsl.com>; Thu, 15 Apr 2010 21:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.652
X-Spam-Level:
X-Spam-Status: No, score=-101.652 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z+fSNefHckmW for <oauth@core3.amsl.com>; Thu, 15 Apr 2010 21:42:11 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id DF2AB3A6952 for <oauth@ietf.org>; Thu, 15 Apr 2010 21:42:10 -0700 (PDT)
Received: from hpaq3.eem.corp.google.com (hpaq3.eem.corp.google.com [10.3.21.3]) by smtp-out.google.com with ESMTP id o3G4g0X4010456 for <oauth@ietf.org>; Fri, 16 Apr 2010 06:42:00 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271392921; bh=8Tc3dyWYRJInazWeH1Clyh5RnFs=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=ZxurOJ6UmoiaBrx0Q9bMaEnHLuc52RmWhnHC0pgzMDdxX0k0EBj2vn+XVFuo1TJpU 1URRlkGMXh7wD4X4J5x/w==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=cRQUZfnzXSACOxHQMVZxPeVvdvNuZ1h6dbS2/Yh45vSZsVR0mayVaEpUkLDV4jmeR TB/lahyCfLCUG35l51lsw==
Received: from pwj7 (pwj7.prod.google.com [10.241.219.71]) by hpaq3.eem.corp.google.com with ESMTP id o3G4fwes030106 for <oauth@ietf.org>; Fri, 16 Apr 2010 06:41:59 +0200
Received: by pwj7 with SMTP id 7so2555296pwj.2 for <oauth@ietf.org>; Thu, 15 Apr 2010 21:41:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.107.2 with HTTP; Thu, 15 Apr 2010 21:41:38 -0700 (PDT)
In-Reply-To: <191F411E00E19F4E943ECDB6D65C60851691F645@TK5EX14MBXC115.redmond.corp.microsoft.com>
References: <h2o74caaad21004151238w60c3afd3td8dccdd8a7127a4a@mail.gmail.com> <C7ECBC36.32379%eran@hueniverse.com> <191F411E00E19F4E943ECDB6D65C60851691F095@TK5EX14MBXC115.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1125748109A@WSMSG3153V.srv.dir.telstra.com> <191F411E00E19F4E943ECDB6D65C60851691F5A9@TK5EX14MBXC115.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E11257591D3B@WSMSG3153V.srv.dir.telstra.com> <191F411E00E19F4E943ECDB6D65C60851691F645@TK5EX14MBXC115.redmond.corp.microsoft.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 15 Apr 2010 21:41:38 -0700
Received: by 10.140.248.13 with SMTP id v13mr1382635rvh.25.1271392918150; Thu, 15 Apr 2010 21:41:58 -0700 (PDT)
Message-ID: <t2u74caaad21004152141jd7b59fc9v60ea28d0dcaa7e4@mail.gmail.com>
To: Justin Smith <justinsm@microsoft.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Scope parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 04:42:13 -0000

On Thu, Apr 15, 2010 at 9:31 PM, Justin Smith <justinsm@microsoft.com> wrote:
> Great.
>
>
>
> So, let’s say there is an Authorization Server available at http://as.com
> and it protects the http://foo.com and http://bar.com resources.
>
>
>
> A client requests  http://foo.com. The foo.com server responds with a
> WWW-Auth that contains the http://as.com URI. The client then sends an
> access token request to http://as.com. Is that right?

I think James is suggesting that WWW-Auth will contain something like
http://as.com?scope=foo.com

If that's the case, the scope is basically a custom parameter.

Also, this assumes that protected resources are simple URLs that can
be fetched. In many cases the protected resource is some API and this
API will require specific scopes depending on the context (actual
user, operation, etc). So a 401 may not be able to specify exactly
what scope is needed. The client programmer will have to understand
the API and provide proper scopes.

Marius

v2.23.0 | Report a Bug | By Email