Re: [OAUTH-WG] A proposal for a new Internet Draft
Clinton Bunch <cdb_ietf@zentaur.org> Sun, 02 April 2023 20:53 UTC
Return-Path: <cdb_ietf@zentaur.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E7CC151553 for <oauth@ietfa.amsl.com>; Sun, 2 Apr 2023 13:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zentaur.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQP8jv7I7F-s for <oauth@ietfa.amsl.com>; Sun, 2 Apr 2023 13:53:36 -0700 (PDT)
Received: from iris.zentaur.org (iris.zentaur.org [198.58.127.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415D2C15154D for <oauth@ietf.org>; Sun, 2 Apr 2023 13:53:36 -0700 (PDT)
Received: from iris.zentaur.org (localhost [127.0.0.1]) by iris.zentaur.org (Postfix) with ESMTP id 4PqR7z3sgFz3wZm for <oauth@ietf.org>; Sun, 2 Apr 2023 20:53:35 +0000 (UTC)
Authentication-Results: iris.zentaur.org (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=zentaur.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zentaur.org; h= in-reply-to:from:from:references:to:content-language:subject :subject:user-agent:mime-version:date:date:message-id :content-type:content-type; s=dkim20200120; t=1680468813; x= 1680472414; bh=HYEX5XqGyjRlVIFodr3JGbYAi3poB4q/RBT7N6MWiNk=; b=o bRHGbH68LZ3UHYqaShnm+I00INdX/I8obI3XGzZf6YwA/YzG3yJAxksBh5U/ETp7 pBQd58ACelfiBi2cjrss7HM6YwpuC/kdbN5znmrf0Pmtk38fh5MHeGV2X1Agd21K 1UY3V67CdN5ZiSEAJqdrF+0dtetsVDvsldpaINdYzltuJvmJBKSxPlm1vPLZcPOt n1dgM6egdr6Mxn/7es0WyUgSKRYNk++xk9OfNB8VZngIFdRsZ4iehvhUPuePkcDz XQs1a/sSeh/IkEb4ZL6/U32IFvfU6vD2mAoZ7FxOcFHW76WJXCNfyT40jBeILRUf Qh9G2Xpy6FYOQeCbSn/RQ==
X-Virus-Scanned: amavisd-new at iris.zentaur.org
Received: from iris.zentaur.org ([127.0.0.1]) by iris.zentaur.org (iris.zentaur.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EnmiVlCDkDsX for <oauth@ietf.org>; Sun, 2 Apr 2023 20:53:33 +0000 (UTC)
Received: from [IPV6:::1] (unknown [IPv6:2605:a601:a54a:e500::1d4f]) by iris.zentaur.org (Postfix) with ESMTPSA id 4PqR7x2rKKz3wZb; Sun, 2 Apr 2023 20:53:33 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------eOe5X90q0ms3seeKyZUmHOjA"
Message-ID: <3aaf8a0e-82b4-12ee-ba8f-dff409615bda@zentaur.org>
Date: Sun, 02 Apr 2023 15:53:33 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: Warren Parad <wparad@rhosys.ch>
Cc: oauth@ietf.org
References: <c38217fe-911b-59bb-a318-dca4990d8670@zentaur.org> <CAJot-L3ovdJ_Q1_Hy25de-uzfLH1HkMCmFdPZjGm4z2SwtCJOQ@mail.gmail.com> <a876f3b0-7034-037d-cc57-2c868cabce9e@zentaur.org> <CAJot-L14wrTVaWNiUUED8UrMW=+nuWm0YrSnn7R6uu2kes1sNQ@mail.gmail.com> <1e6dd96f-2579-9f8f-5e6d-781c57c6f6f4@zentaur.org> <CAJot-L0qCWAMA3bSXVGCqmjeENoRpGkkdVY8BBnE0WZwesgvjw@mail.gmail.com> <37186697-9386-518f-7df5-05eebc8b35c5@zentaur.org> <CAJot-L0d3SmagSC_jp0YtpOWa6o+8cGSWRVtz+E+EQcL2dxm4Q@mail.gmail.com>
From: Clinton Bunch <cdb_ietf@zentaur.org>
In-Reply-To: <CAJot-L0d3SmagSC_jp0YtpOWa6o+8cGSWRVtz+E+EQcL2dxm4Q@mail.gmail.com>
X-Antivirus: Avast (VPS 230402-4, 4/2/2023), Outbound message
X-Antivirus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_XuXs8AGFQpXtGXkjWzYOX7ox6g>
Subject: Re: [OAUTH-WG] A proposal for a new Internet Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2023 20:53:40 -0000
On 4/2/2023 3:13 PM, Warren Parad wrote: > I'm looking for proof that anyone actually needs these. Introducing > unnecessary scopes into the spec is both a waste of time and > needlessly complicates the documentation. So we need there to be a > real problem that is attempting to be solved in which additional > scopes is the right solution. > > I'm going to start off the conversation by saying, I think this is a > bad idea. Most services in the world do not have any of these, and > when they do the relevant scopes are coupled to the relevant > authorization server (AS). In other words, you only define the scopes > you want after reviewing the documentation for the relevant AS. > Defining new standard scopes helps for interoperability, but there is > zero interoperability with scopes (the AS defines them, the Dev picks > them, and the User reviews them. Scopes don't carry additional meaning > cross platforms). So this seems like just a really bad idea to me. > > Scopes do help with permissions and visibility in the created id_token > (or access_token), for instance let's say a service wanted to link a > user's access to their ethereum wallet. In that case, a new scope like > eth_wallet_id might make sense, so that the wallet public key would > show up in the id_token to be directly used. > > But the scopes that have been proposed don't expose data in the > tokens, they define access. User contact information is already > available via *profile, email, address, and phone*. That means not > only are we talking about creating additional scopes, we are also > talking about expanding scopes in a way that currently isn't used. > Which brings us back to, what problem are you trying to solve? Right now an email (or calendar or contact) client (such as Thunderbird) is in general written by an organization separate from the author of the resource server (such as Dovecot), which is different from the author of the authorization server. The authorization server may have several scopes it supports, so even using the discovery protocol, the client doesn't know how to choose the scopes it needs to request without those scopes being hard-coded per authorization server, or entered by the user. This would allow the client, AS, and resource server too use a common set of scopes to specify that this domain is offering groupware services and the scopes the client needs to request. It requires cooperation from the AS administrator, true, but both client and server know what the appropriate scopes are without further configuration. These clients may be used across thousandds of AS domains and having to hard-code the scopes for each is going to deter adoption of Oauth2 authentication, by limiting it to only a few domains. Another use case is connecting voice assistants to calendars hosted on servers of small organizations. The voice assistant needs to know what scopes to request for the token to access the users calendar. Right now that is limited to just the calendar services of a few large players which are hard-coded. Having the user enter the necessary scopes by hand, where the client has that capability, leads to a poor user experience. The point of these scopes is to allow small players in the field to use common implementations and have them work for a wide set of users without placing an undue burden on the user. > > On Sun, Apr 2, 2023 at 9:57 PM Clinton Bunch <cdb_ietf@zentaur.org> wrote: > > On 4/2/2023 2:49 PM, Warren Parad wrote: >> But why these scopes? > > Separate read and write scopes for the three pieces of a groupware > service seemed appropriate. And separating the three pieces of > groupware seemed appropriate as not all domains or users will use > all of them. > > But since the most common use cases would include both read and > write, I defined short-hand scopes that included both permissions. > > If that doesn't answer your question, then I'm not sure what > you're looking for. > >> >> On Sun, Apr 2, 2023 at 9:37 PM Clinton Bunch >> <cdb_ietf@zentaur.org> wrote: >> >> >> >> On 4/2/2023 2:26 PM, Warren Parad wrote: >>> Sorry, I'm asking why these scopes at all? I personally have >>> never seen any of them used ever (and I'm not being >>> hyperbolic), How did you come up with these suggestions? >>> >> The naming seemed logical given the IANA URI namespace. I >> was looking for something that would be a common set of >> scopes for this application domain that wasn't tied to a >> single vendor. >> >> The purpose *could* be served by widespread adoption of >> Google's scopes such as >> >> https://www.googleapis.com/auth/calendar >> >> but I believe that the reliance on a specific vendor name >> would hamper wide-spread adoption, so a namespace defined by >> a neutral party such as IETF seemed best. >> >>> On Sun, Apr 2, 2023 at 8:46 PM Clinton Bunch >>> <cdb_ietf@zentaur.org> wrote: >>> >>> On 4/2/2023 1:34 PM, Warren Parad wrote: >>>> >>>> I propose a set of nine well-known scopes >>>> >>>> >>>> Can you elaborate on what you mean by "well-known"? Is >>>> there some canonical list, where these were pulled from? >>> >>> I was trying to avoid the use of standard, as that >>> implies they must be used. To encourage adoption, I >>> didn't want to imply that the large providers would be >>> required to change their software to accommodate these, >>> though it would be nice if they did. These scopes are >>> not currently in use as far as I know. >>> >>> The sense of well-known is that once this was published >>> they would be well-known scopes that could be >>> implemented with well-defined semantics. >>> >>>> >>>> - Warren >>>> >>>> On Sun, Apr 2, 2023 at 8:12 PM Clinton Bunch >>>> <cdb_ietf@zentaur.org> wrote: >>>> >>>> This seemed the most appropriate working group to >>>> post this suggestion. >>>> >>>> I would like to see a new Internet-Draft/RFC to add >>>> some well-known >>>> scopes to the IANA registry to promote adoption of >>>> Oauth in Groupware >>>> domains. I will try to write it myself, but have >>>> no experience with >>>> I-Ds or as a technical writer and could use some help. >>>> >>>> Since the publication of RFC 7628 there is a push >>>> to migrate groupware >>>> servers to use Oauth2. This is hampered by the >>>> fact that there are >>>> several different server implementations and client >>>> implementations are >>>> often written by different organizations with >>>> little overlap. One of >>>> the barriers to widespread adoption is that each >>>> authorization server >>>> has a different set of scopes to cover the >>>> necessary user >>>> authorizations. One groupware client I know has >>>> only a few Auth Servers >>>> available that are hardcoded and nearly every one >>>> has a different set of >>>> scopes. Servers have to have appropriate scopes >>>> configured by the >>>> administrator in order for the server to know which >>>> scopes to check. It >>>> also makes it hard for clients to know which scopes >>>> to request without >>>> some sort of configuration file provided by the >>>> domain or worse, having >>>> the user enter the appropriate scopes by hand. The >>>> latter especially >>>> seems like a support headache for the admin of the >>>> groupware servers. >>>> >>>> I propose a set of nine well-known scopes be added >>>> to the Oauth URI IANA >>>> registry to address this. >>>> >>>> urn:ietf:params:oauth:scope:mail:read - >>>> Authorization to read >>>> email (IMAP,POP) >>>> urn:ietf:params:oauth:scope:mail:send - >>>> Authorization to send >>>> mail on the user's behalf (SMTP) >>>> urn:ietf:params:oauth:scope:mail - >>>> Combination of the >>>> previous two scopes >>>> urn:ietf:params:oauth:scope:calendar:read - >>>> Authorization to read >>>> calendar entries >>>> urn:ietf:params:oauth:scope:calendar:update - >>>> Authorization to >>>> update/create/delete calendar entries >>>> urn:ietf:params:oauth:scope:calendar - >>>> Combination of the >>>> previous two scopes >>>> urn:ietf:params:oauth:scope:contacts:read - >>>> Authorization to read >>>> contacts information >>>> urn:ietf:params:oauth:scope:contacts:update - >>>> Authorization to >>>> update/create/delete contact information. >>>> urn:ietf:params:oauth:scope:contacts - >>>> Combination of the >>>> previous two scopes >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >> >
- Re: [OAUTH-WG] A proposal for a new Internet Draft David Waite
- [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Kai Lehmann
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Dave Tonge