Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
John Bradley <ve7jtb@ve7jtb.com> Tue, 05 April 2016 19:42 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7F5112D7E0 for <oauth@ietfa.amsl.com>; Tue, 5 Apr 2016 12:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJ8ke5CqkUzi for <oauth@ietfa.amsl.com>; Tue, 5 Apr 2016 12:42:23 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FD0F12D642 for <oauth@ietf.org>; Tue, 5 Apr 2016 12:42:21 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id k135so5715152qke.0 for <oauth@ietf.org>; Tue, 05 Apr 2016 12:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=hJ99k/gl77SWAJwd7dA8Vm7mS/oe357FunHlgpkFjhM=; b=Cnfd6vs7keBm1nJIsFVj9hXhRfVuB/qGxbdnATiFhUJB0bgr2hFx3rqTU1j8sYc3bc TBBjMhLscVBKX/pn9QS1RTaZlrv3njKxseDoNMzY0Jrl+xtczc3LN0NTE5Au7CLcAv96 oG9CpQfKTQgIyjIz0tTfYmMV/iJqKLZCAbODsDrNEX64nn03AzTvR2AVgLFUifGFICqu LelSSjMNbwtLmcd/CC4dmgsFufFs1+Pt6ph1oEzV2coAzbds/suyeMcacD5y+i7hjGwR 0Qo6q2KQ2205Mr73UusoVL0TG/SXo9qerbeQSAm7SXs9HijUJ8RRdAVMGXYNjpoDWm0Y plgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=hJ99k/gl77SWAJwd7dA8Vm7mS/oe357FunHlgpkFjhM=; b=And9cjtSSek5TyqGNNc1T9aeHgIXBoFjCy+S0VElEHWhFwbMKUz8qXF8P7K8/CMk0a Xubb+173mDsi1r+sbPV1b0F5n789oyNwxNiYBRrycPsigU/SFIqB9KRsaH1PRdNm9d+b RjmxPorAS8vv2MeLtJVNnNbiFTvfaZkx+iXYiato6eOru6D/67JV6nabPB5/qiBSuvWc if5jqcFsk1jNn9Kr5Uuqrw3yp81INtw1xq2MwvE3d+2c7D1Xun0jesYYyvoFfbT+hGZb QHcKQqMGcdIlrTtzpt5A3rwrkIwpDoE6L5f1I1a9mL3lQcKKoMIFGNDMmjYvKiIy2lg9 KYMg==
X-Gm-Message-State: AD7BkJIWEWAUyx7zsxDlG1hRjt8C/KZH4VjjZhoDCPvSi5axIVziuwk2CpGQZQC+UUZAyA==
X-Received: by 10.55.73.85 with SMTP id w82mr43307145qka.52.1459885329688; Tue, 05 Apr 2016 12:42:09 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:144:e0dc:dc4e:a1c9:7cb6? ([2001:67c:370:144:e0dc:dc4e:a1c9:7cb6]) by smtp.gmail.com with ESMTPSA id v74sm15245626qkl.36.2016.04.05.12.42.07 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 05 Apr 2016 12:42:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_BAE08089-6EBE-4A4E-A8B5-76F8978D0BFF"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <ttie4nq0eyyhyf2dhgseauug.1459870911686@com.syntomo.email>
Date: Tue, 05 Apr 2016 16:42:06 -0300
Message-Id: <2EC38A43-5E21-4A5A-ACEF-7BA8E2233981@ve7jtb.com>
References: <20160321173103.31961.76817.idtracker@ietfa.amsl.com> <CAAX2Qa2kovVmCoByJc0HsE9a3ZS6Lm+9F2bzgynBoahttcv8Zw@mail.gmail.com> <CA+k3eCSOMkm+1_0+77+RONTVMbS=y9KpPWaO4jAEU0CfiiGF-Q@mail.gmail.com> <7CDE7D76-4E6C-4060-A0AB-C7D0FE8C9246@lodderstedt.net> <CA+k3eCSzUcrfhwuBUL1Zh0tb69x1FGw1o919TNptSg=LfYVYZw@mail.gmail.com> <ttie4nq0eyyhyf2dhgseauug.1459870911686@com.syntomo.email>
To: "torsten@lodderstedt.net" <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_ZldA-MjkvaDURCDq-Yxg4ECi3A>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 19:42:27 -0000
At this point we are not considering changing the vague nature of scopes. A scope might still grant permission at the API level or finer grained. With things like the FIRE health record API there are standard scopes so I am assuming that if the client wants scope x, y ,z for health provider A & B it would ask for 3 scopes and two resources in the authorization request. The user might not grant all scopes doe all endpoints. When the client asks for a AT for RS A that might have different scopes than the one for RS B. If the client wants to ask for different scopes for different resources then it would need to do two authorization requests. Creating a request that could say give me x & y for A and z for B is probably farther than we want to go. It is a interesting point for the WG to consider. John B. > On Apr 5, 2016, at 12:41 PM, torsten@lodderstedt.net wrote: > > Hi Brian, > > I assume resource server ids or URIs to be a names namespace for scope values or that scope values are be bound to certain resource servers. It seems you have less coupling in mind? > > Best regards, > Torsten. > > Sent by MailWise <http://www.mail-wise.com/installation/2> – See your emails as clean, short chats. > > > > -------- Originalnachricht -------- > Betreff: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt > Von: Brian Campbell <bcampbell@pingidentity.com> > An: Torsten Lodderstedt <torsten@lodderstedt.net> > Cc: oauth <oauth@ietf.org> > > Sorry for the slow response, Torsten, I was on vacation last week with my family. > > The omission of scope values in the example requests wasn't really intentional so much as just an initial desire to have a minimal amount of stuff in the examples. Adding a scope parameter to the example authorization request (Figure 1) would probably be a good thing to do. I'll make a note to do so. > > As far as the relationship between scope and resource. Scope is *what* access is being requested/granted. And resource is about *where* a particular access token will be used. I envision resource as allowing for scope to > > Note that, as currently written anyway, resource is unlike scope in that it's not something that the end-user approves or denies access to and it's not something that is persisted with the grant. It only informs the access token being requested at the time. So it'd be used at the token endpoint when getting an access token. And only at the authorization endpoint when an access token will come back directly in the authorization response (implicit flows). > > Currently, yes, multiple resources are allowed by the draft to indicate multiple RSs. Though there's a note in there questioning it because it complicates things in some situations where different token content or encryption is needed for different RSs that are asked for in the same request. > > > > On Sat, Apr 2, 2016 at 8:04 AM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: > Hi Brian, > > did you intentionally omit scope values in your example requests? I would like to know what you envision to be the relationshop between scope and resource. > > As you draft says, we today use scope values to indicate to the AS, which ressource servers the clients wants to access. I think we nearly exclusively use it for that purpose and only seldomly to request certain access rights. One of the advantages is, we can request access to multiple resource servers simple by putting multiple scope values into the scope parameter. Will this be possible with the extension you are proposing? > > Best regards, > Torsten. > > Am 21.03.2016 um 18:41 schrieb Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>: > >> Very minor update to this draft before the deadline that moves Hannes from Acknowledgements to Authors in acknowledgment of his similar work a few years ago. Also fleshed out the IANA section with the formal registration requests. >> >> >> ---------- Forwarded message ---------- >> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> >> Date: Mon, Mar 21, 2016 at 11:31 AM >> Subject: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt >> To: Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net <mailto:Hannes.Tschofenig@gmx.net>>, Brian Campbell <brian.d.campbell@gmail.com <mailto:brian.d.campbell@gmail.com>>, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> >> >> >> >> A new version of I-D, draft-campbell-oauth-resource-indicators-01.txt >> has been successfully submitted by Brian Campbell and posted to the >> IETF repository. >> >> Name: draft-campbell-oauth-resource-indicators >> Revision: 01 >> Title: Resource Indicators for OAuth 2.0 >> Document date: 2016-03-21 >> Group: Individual Submission >> Pages: 8 >> URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-resource-indicators-01.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-resource-indicators-01.txt> >> Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/> >> Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-01 <https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-01> >> Diff: https://www.ietf.org/rfcdiff?url2=draft-campbell-oauth-resource-indicators-01 <https://www.ietf.org/rfcdiff?url2=draft-campbell-oauth-resource-indicators-01> >> >> Abstract: >> This straw-man specification defines an extension to The OAuth 2.0 >> Authorization Framework that enables the client and authorization >> server to more explicitly to communicate about the protected >> resource(s) to be accessed. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. >> >> The IETF Secretariat >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … torsten@lodderstedt.net
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley