Re: [OAUTH-WG] Scope - Coming to a Consensus

Torsten Lodderstedt <> Sat, 01 May 2010 06:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 185D83A6A5E for <>; Fri, 30 Apr 2010 23:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.595
X-Spam-Status: No, score=-0.595 tagged_above=-999 required=5 tests=[AWL=-0.946, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gncp7-4oVRDV for <>; Fri, 30 Apr 2010 23:01:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A38E93A6A08 for <>; Fri, 30 Apr 2010 23:01:01 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1O85kr-0007aU-TO; Sat, 01 May 2010 08:00:45 +0200
Message-ID: <>
Date: Sat, 01 May 2010 08:00:41 +0200
From: Torsten Lodderstedt <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv: Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Marius Scurtescu <>
References: <90C41DD21FB7C64BB94121FBBC2E723439321772EF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Scope - Coming to a Consensus
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 01 May 2010 06:01:05 -0000

Am 01.05.2010 03:07, schrieb Marius Scurtescu:
> On Fri, Apr 30, 2010 at 11:43 AM, Torsten Lodderstedt
> <>  wrote:
>> In my opinion, automatic discovery on scope values is as valuable or not
>> valuable as automatic discovery for a service API. I would like to echo one
>> of my postings:
>> A scope defines the set of permissions a client asks for and that becomes
>> associated with tokens. I don't see the need (and a way) for automatic scope
>> discovery. In my opinion, scopes are part of the API documentation of a
>> particular resource server. So if someone implements a client, it needs to
>> consider the different scopes this client needs the end users authorization
>> for. If the resource server implements a OAuth2-based standard API (e.g. for
>> contact management or e-Mail), a client might be interoperable (in terms of
>> scopes) among the resource servers implementing this standard.
> Not sure I understand, are you saying that for a standard API, like
> IMAP for example, there should be a standard scope (or set of scopes)?

Yes, that's what I said.

Scopes (~permissions) should be defined allong with the corresponding 
API. So developers should know upfront
which scope is required  to perform a particular action. For example, 
"uploading documents requires scope 'upload'".
The same holds for IMAP. Depending on the IMAP feature set you want to 
use there could be plenty of scopes,
ranging from "read users INBOX" to sharing scenarios, where users have 
access to other users IMAP folders.


> If not, then discovery of scopes is almost a must in this case. The
> client implementor cannot know the actual scope because implementation
> is done against a generic API.
> I did not see the value of scope discovery until I realized the above use case.
> Marius