IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 19 April 2010 22:17 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FAC23A68D4 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 15:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.876
X-Spam-Level:
X-Spam-Status: No, score=-1.876 tagged_above=-999 required=5 tests=[AWL=-0.477, BAYES_00=-2.599, J_CHICKENPOX_55=0.6, J_CHICKENPOX_57=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XazjOY6krhdP for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 15:17:32 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 47F013A6903 for <oauth@ietf.org>; Mon, 19 Apr 2010 15:17:32 -0700 (PDT)
Received: (qmail 19665 invoked from network); 19 Apr 2010 22:17:19 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Apr 2010 22:17:19 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 19 Apr 2010 15:17:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Kemp <john@jkemp.net>
Date: Mon, 19 Apr 2010 15:17:21 -0700
Thread-Topic: [OAUTH-WG] 'Scope' parameter proposal
Thread-Index: AcrgC31ks1BgIM71TyC59g1LkjHBTwAABHwg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net>
In-Reply-To: <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 22:17:35 -0000

> -----Original Message-----
> From: John Kemp [mailto:john@jkemp.net]
> Sent: Monday, April 19, 2010 2:59 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
> 
> On Apr 19, 2010, at 12:25 PM, Eran Hammer-Lahav wrote:
> 
> > Proposal:
> >
> > 'scope' is defined as a comma-separated list of resource URIs or
> > resource groups (e.g. contacts, photos).
> 
> So, 'scope' at the authenticating (via OAuth) server is simply a list of one or
> more URIs? There are no defined, interoperable, semantics that a server
> should use here - is that correct?

Yes. Servers can use whatever they like. We can say the values are URIs (absolute or relative) - this allows short names but helps future interop or standard URI-based values. The client finds out what value(s) to request from documentation or a 401 challenge.

> > The server can provide a list of values for the client to use in its
> > documentation, or the client can use the URIs or scope identifier of
> > the protected resources it is trying to access (before or after
> > getting a 401 response).
> >
> > For example:
> >
> > 1. Client requests resource
> >
> >    GET /resource HTTP/1.1
> >    Host: example.com
> >
> > 2. Server requires authentication
> >
> >    HTTP/1.1 401 Unauthorized
> >    WWW-Authenticate: Token realm='Example', scope='x2'
> 
> No (implied or otherwise) relationship between the realm and the scope?

No. Realm is too limited for many use cases. For example:

Resource A: scopes a and b
Resource B: scopes b and c
Resource C: scope b

If you want to access B and C you need a token scoped for b and c. No way to express this with realm.
 
> The scope doesn't have to match the base URI of the resource which the
> client tried and got the 401 from?

That's a security issue we need to address (when to trust the resource server and reuse an existing token). We need to figure it out either way.
 
> >
> > 3. Client requests an access token by including scope=x2 in the
> > request
> >
> > Alternatively, the client can ask for an access token with
> > scope=http://example.com/resource.
> >
> > If the client needs access to two resource with different scopes, it
> > requests an access token for scope=x2,x1.
> 
> Is the "effective" scope a URI, or a list of URIs?

A list.

> >
> > That's it!
> >
> > It allows the client to figure out what value to put in the scope
> > parameter
> 
> It doesn't tell the client where to go to get a token related to that scope (nor
> should it).

Yes. That's for another parameter and/or discovery flow.

> > and how to encode multiple scopes without any server-specific
> documentation.
> > Servers that wish to rely exclusively on paperwork can just omit the
> > scope parameter from the WWW-Authenticate header.
> 
> I think that there is much that is unspecified in this model and thus it doesn't
> provide much interoperability. If we don't tell the client what to do with the
> scope, and we don't specify what a server means by supplying a scope, I'm
> not sure what the point is to specifying this at all as clients will still need some
> documentation or be hard-coded (which token service do I get such a token
> from?)

Why?

The server tells the client what scope is needed for each resource. It can be a single scope id or multiple. The client checks to see if it has an access token issued with that scope combination. If it doesn't it goes and request an access token, and includes the required scope in the request. We can also allow the server to tell the client what scope an issued token includes in the token reply.

The client doesn't need to understand the internal structure of the scope identifiers. It just need to know what to ask for when trying to access an unfamiliar resource. No documentation is needed.

Client: I want to get an address book record with the latest email to that person.
Server: You need an access token scoped for "Contact" and "Email".
Client: Can I get an access token for scope=contact,email?
Server: Sure, here is an access token for scope=email,contact (order doesn't matter).

EHL

v2.23.0 | Report a Bug | By Email