Re: [OAUTH-WG] Registration: Scope Values

Tim Bray <twbray@google.com> Mon, 15 April 2013 14:33 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC5421F935B for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:33:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd+vQsr8NxgU for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:33:35 -0700 (PDT)
Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com [IPv6:2607:f8b0:4001:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 4965721F9339 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:33:35 -0700 (PDT)
Received: by mail-ie0-f176.google.com with SMTP id x14so1555042ief.35 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=hfamFgpZbd5SeJ/Jn1utDMKdzXV+X+/NNN+cClYjZts=; b=d/gNs1CVlaR+4OttsvewY4693WbxZR3f7cWaypPgIh3F2WgpakjAX9sq2+moWqGRTu 7Y9qkKTtf/RRjJV+ikX8aiDrqVV6pRiDpxyjvBueW0iK037YKVo7AXzJ76KLdru5RxzT hfQcSMNVw//+1M+3JU1bR72OSs1MTR82jPeKb9HuElN+RUu5a9LBzh24VkGMV742ku1H cu1J9rdbl2LBha8sfQBxGwyya1YndLGVRqX2JalIox8HENBGFMl65g6WtjyOc38Rmk4j i5BHlbneHCQZptJ8nPNuXW2neYwoHqARULrGOU6otd+16XKswWpjSkYv8H+2tTs7vF7E n03Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=hfamFgpZbd5SeJ/Jn1utDMKdzXV+X+/NNN+cClYjZts=; b=Y6T1csWI3FC9f0RyKbtS9QIrW/ewGn8hQLhXJUEi1Rb8kfopyI/CdKy6aVWRayGKye Hcf5P2xYJ8Al2E2mx9YyL0us/M2VV9SAKBNkmWtofNMlUpsTyk5yR4tIgi1zpwJRASiF 85jffY7wXUHTVxZnix0MwJgpWUACCLQswJtPx1b07FTMW5oMF1dg4bAKj/KIcUTaiI5V MHBmYBSiDQNgookHNy5bbU+HQ9FV83dtAETqjqbBQjdDkKmFerBoAl1BiMiRST4PikbV GajKk46yj09G9XzkGrd2MMfwdVv1Wc5wRKzuWfEgiTsKCpuclY16HRI0EXkOBv0DWR+X cC0w==
X-Received: by 10.50.195.134 with SMTP id ie6mr5335818igc.6.1366036414600; Mon, 15 Apr 2013 07:33:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.31.35 with HTTP; Mon, 15 Apr 2013 07:33:03 -0700 (PDT)
In-Reply-To: <516C0B9D.6000402@mitre.org>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org>
From: Tim Bray <twbray@google.com>
Date: Mon, 15 Apr 2013 07:33:03 -0700
Message-ID: <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="14dae9340b453e32a304da672301"
X-Gm-Message-State: ALoCoQnL9lvP+aS9kGvKlLHO3dQeMgkSFsSsk21U2MARNRNXVCrNrQPqlxu9cL3T/Micq9k8AtdlH6SyeO79Az+T8s/YYixLnRgNoGTYRwUDVqZzovIsBIo4QPZYC8Gyx7gCghQTzMa6qE59r1E4xTc5qqeLZhqGsN0BUBFN2fCcYR3jy6+RgFWDUh3tmyZUbZ3DBKkd7nw/
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:33:36 -0000

No, I mean it’s not interoperable at the software-developer level.  I can’t
register scopes at authorization time with any predictable effect that I
can write code to support, either client or server side, without
out-of-line non-interoperable knowledge about the behavior of the server.

I guess I’m just not used to OAuth’s culture of having no expectation that
things will be specified tightly enough that I can write code to implement
as specified.  -T


On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org> wrote:

>  Scopes aren't meant to be interoperable between services since they're
> necessarily API-specific. The only interoperable bit is that there's *some*
> place to put the values and that it's expressed as a bag of space-separated
> strings. How those strings get interpreted and enforced (which is really
> what's at stake here) is up to the AS and PR (or a higher-level protocol
> like UMA).
>
>  -- Justin
>
>
> On 04/15/2013 10:13 AM, Tim Bray wrote:
>
> This, as written, has zero interoperability.  I think this feature can
> really only be made useful in the case where scopes are fixed strings.
>
> -T
> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org> wrote:
>
>>  You are correct that the idea behind the "scope" parameter at
>> registration is a constraint on authorization-time scopes that are made
>> available. It's both a means for the client to request a set of valid
>> scopes and for the server to provision (and echo back to the client) a set
>> of valid scopes.
>>
>> I *really* don't want to try to define a matching language for scope
>> expressions. For that to work, all servers would need to be able to process
>> the regular expressions for all clients, even if the servers themselves
>> only support simple-string scope values. Any regular expression syntax we
>> pick here is guaranteed to be incompatible with something, and I think the
>> complexity doesn't buy much. Also, I think you suddenly have a potential
>> security issue if you have a bad regex in place on either end.
>>
>> As it stands today, the server can interpret the incoming registration
>> scopes and enforce them however it wants to. The real trick comes not from
>> assigning the values to a particular client but to enforcing them, and I
>> think that's always going to be service-specific. We're just not as clear
>> on that as we could be.
>>
>> After looking over everyone's comments so far, I'd like to propose the
>> following text for that section:
>>
>>
>>    scope
>>       OPTIONAL.  Space separated list of scope values (as described in
>>       OAuth 2.0 Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when
>>       requesting access tokens.  As scope values are service-specific,
>>       the Authorization Server MAY define its own matching rules when
>>       determining if a scope value used during an authorization request
>>       is valid according to the scope values assigned during
>>       registration. Possible matching rules include wildcard patterns,
>>       regular expressions, or exactly matching the string. If omitted,
>>       an Authorization Server MAY register a Client with a default
>>       set of scopes.
>>
>>
>> Comments? Improvements?
>>
>>  -- Justin
>>
>>
>> On 04/14/2013 08:23 PM, Manger, James H wrote:
>>
>> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.
>>
>> So ideally registration should accept rules for matching scopes, as opposed to actual scope values.
>>
>> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").
>>
>> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.
>>
>> --
>> James Manger
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>