Re: [OAUTH-WG] Registration: Scope Values
Tim Bray <twbray@google.com> Mon, 15 April 2013 14:33 UTC
Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC5421F935B for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:33:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd+vQsr8NxgU for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:33:35 -0700 (PDT)
Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com [IPv6:2607:f8b0:4001:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 4965721F9339 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:33:35 -0700 (PDT)
Received: by mail-ie0-f176.google.com with SMTP id x14so1555042ief.35 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=hfamFgpZbd5SeJ/Jn1utDMKdzXV+X+/NNN+cClYjZts=; b=d/gNs1CVlaR+4OttsvewY4693WbxZR3f7cWaypPgIh3F2WgpakjAX9sq2+moWqGRTu 7Y9qkKTtf/RRjJV+ikX8aiDrqVV6pRiDpxyjvBueW0iK037YKVo7AXzJ76KLdru5RxzT hfQcSMNVw//+1M+3JU1bR72OSs1MTR82jPeKb9HuElN+RUu5a9LBzh24VkGMV742ku1H cu1J9rdbl2LBha8sfQBxGwyya1YndLGVRqX2JalIox8HENBGFMl65g6WtjyOc38Rmk4j i5BHlbneHCQZptJ8nPNuXW2neYwoHqARULrGOU6otd+16XKswWpjSkYv8H+2tTs7vF7E n03Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=hfamFgpZbd5SeJ/Jn1utDMKdzXV+X+/NNN+cClYjZts=; b=Y6T1csWI3FC9f0RyKbtS9QIrW/ewGn8hQLhXJUEi1Rb8kfopyI/CdKy6aVWRayGKye Hcf5P2xYJ8Al2E2mx9YyL0us/M2VV9SAKBNkmWtofNMlUpsTyk5yR4tIgi1zpwJRASiF 85jffY7wXUHTVxZnix0MwJgpWUACCLQswJtPx1b07FTMW5oMF1dg4bAKj/KIcUTaiI5V MHBmYBSiDQNgookHNy5bbU+HQ9FV83dtAETqjqbBQjdDkKmFerBoAl1BiMiRST4PikbV GajKk46yj09G9XzkGrd2MMfwdVv1Wc5wRKzuWfEgiTsKCpuclY16HRI0EXkOBv0DWR+X cC0w==
X-Received: by 10.50.195.134 with SMTP id ie6mr5335818igc.6.1366036414600; Mon, 15 Apr 2013 07:33:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.31.35 with HTTP; Mon, 15 Apr 2013 07:33:03 -0700 (PDT)
In-Reply-To: <516C0B9D.6000402@mitre.org>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org>
From: Tim Bray <twbray@google.com>
Date: Mon, 15 Apr 2013 07:33:03 -0700
Message-ID: <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="14dae9340b453e32a304da672301"
X-Gm-Message-State: ALoCoQnL9lvP+aS9kGvKlLHO3dQeMgkSFsSsk21U2MARNRNXVCrNrQPqlxu9cL3T/Micq9k8AtdlH6SyeO79Az+T8s/YYixLnRgNoGTYRwUDVqZzovIsBIo4QPZYC8Gyx7gCghQTzMa6qE59r1E4xTc5qqeLZhqGsN0BUBFN2fCcYR3jy6+RgFWDUh3tmyZUbZ3DBKkd7nw/
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:33:36 -0000
No, I mean it’s not interoperable at the software-developer level. I can’t register scopes at authorization time with any predictable effect that I can write code to support, either client or server side, without out-of-line non-interoperable knowledge about the behavior of the server. I guess I’m just not used to OAuth’s culture of having no expectation that things will be specified tightly enough that I can write code to implement as specified. -T On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org> wrote: > Scopes aren't meant to be interoperable between services since they're > necessarily API-specific. The only interoperable bit is that there's *some* > place to put the values and that it's expressed as a bag of space-separated > strings. How those strings get interpreted and enforced (which is really > what's at stake here) is up to the AS and PR (or a higher-level protocol > like UMA). > > -- Justin > > > On 04/15/2013 10:13 AM, Tim Bray wrote: > > This, as written, has zero interoperability. I think this feature can > really only be made useful in the case where scopes are fixed strings. > > -T > On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org> wrote: > >> You are correct that the idea behind the "scope" parameter at >> registration is a constraint on authorization-time scopes that are made >> available. It's both a means for the client to request a set of valid >> scopes and for the server to provision (and echo back to the client) a set >> of valid scopes. >> >> I *really* don't want to try to define a matching language for scope >> expressions. For that to work, all servers would need to be able to process >> the regular expressions for all clients, even if the servers themselves >> only support simple-string scope values. Any regular expression syntax we >> pick here is guaranteed to be incompatible with something, and I think the >> complexity doesn't buy much. Also, I think you suddenly have a potential >> security issue if you have a bad regex in place on either end. >> >> As it stands today, the server can interpret the incoming registration >> scopes and enforce them however it wants to. The real trick comes not from >> assigning the values to a particular client but to enforcing them, and I >> think that's always going to be service-specific. We're just not as clear >> on that as we could be. >> >> After looking over everyone's comments so far, I'd like to propose the >> following text for that section: >> >> >> scope >> OPTIONAL. Space separated list of scope values (as described in >> OAuth 2.0 Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when >> requesting access tokens. As scope values are service-specific, >> the Authorization Server MAY define its own matching rules when >> determining if a scope value used during an authorization request >> is valid according to the scope values assigned during >> registration. Possible matching rules include wildcard patterns, >> regular expressions, or exactly matching the string. If omitted, >> an Authorization Server MAY register a Client with a default >> set of scopes. >> >> >> Comments? Improvements? >> >> -- Justin >> >> >> On 04/14/2013 08:23 PM, Manger, James H wrote: >> >> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow. >> >> So ideally registration should accept rules for matching scopes, as opposed to actual scope values. >> >> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*"). >> >> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match. >> >> -- >> James Manger >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >
- [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Manger, James H
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values prateek mishra
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values John Bradley
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer