Re: [OAUTH-WG] A proposal for a new Internet Draft
Clinton Bunch <cdb_ietf@zentaur.org> Sun, 02 April 2023 21:54 UTC
Return-Path: <cdb_ietf@zentaur.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6709C151540 for <oauth@ietfa.amsl.com>; Sun, 2 Apr 2023 14:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zentaur.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PP1Y2pLrhMVT for <oauth@ietfa.amsl.com>; Sun, 2 Apr 2023 14:53:57 -0700 (PDT)
Received: from iris.zentaur.org (iris.zentaur.org [198.58.127.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59416C14CE33 for <oauth@ietf.org>; Sun, 2 Apr 2023 14:53:56 -0700 (PDT)
Received: from iris.zentaur.org (localhost [127.0.0.1]) by iris.zentaur.org (Postfix) with ESMTP id 4PqSTc435zz3wZp for <oauth@ietf.org>; Sun, 2 Apr 2023 21:53:56 +0000 (UTC)
Authentication-Results: iris.zentaur.org (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=zentaur.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zentaur.org; h= in-reply-to:from:from:references:to:content-language:subject :subject:user-agent:mime-version:date:date:message-id :content-type:content-type; s=dkim20200120; t=1680472433; x= 1680476034; bh=Z9AzbtIkdJLRjGTjCTSb58Ttk71T9Xl9qrk1pISaBQg=; b=S 78LsQ8Z1cJinkno2ilRpndHmIa6Ia9pGPaeFCZdXVL4B4QZNChvm9zdUMWibcD8G WWfa/4/JQF3A7w6naQ2LOcsuCwDjssBlRBher7zMkvEviRSKmto/j4C4ks+sNLCG rzuKsXMgdQ3afH7JX7ipg87KldiKUJDtCCg3R/CgQYHCOmRR6rEtOGysZu/NmP9v 7KU0ZNf+YTntoj4xrxfKqrZ6StCWs+7Vt2+dRV4IHBtP02HsZ+AjNUcjEvTI79YK Qbc/9p2eQEaNsD8o+owZWoCTht9Ybv61aEZG+KyQZGLnC+9CB7YIj2pzxkOEngoy b9yg2t5Z94GsTQqCC482A==
X-Virus-Scanned: amavisd-new at iris.zentaur.org
Received: from iris.zentaur.org ([127.0.0.1]) by iris.zentaur.org (iris.zentaur.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id QWKL5D9hdraR for <oauth@ietf.org>; Sun, 2 Apr 2023 21:53:53 +0000 (UTC)
Received: from [IPV6:::1] (unknown [IPv6:2605:a601:a54a:e500::1d4f]) by iris.zentaur.org (Postfix) with ESMTPSA id 4PqSTY0sXmz3wZb; Sun, 2 Apr 2023 21:53:53 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------XvvENEhmwjzFYCqBpZciMvut"
Message-ID: <b1f6213a-b8f6-3485-1f14-0cfcea3d7c50@zentaur.org>
Date: Sun, 02 Apr 2023 16:53:53 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: Warren Parad <wparad@rhosys.ch>
Cc: Clinton Bunch <cdb_ietf@zentaur.org>, oauth@ietf.org
References: <c38217fe-911b-59bb-a318-dca4990d8670@zentaur.org> <CAJot-L3ovdJ_Q1_Hy25de-uzfLH1HkMCmFdPZjGm4z2SwtCJOQ@mail.gmail.com> <a876f3b0-7034-037d-cc57-2c868cabce9e@zentaur.org> <CAJot-L14wrTVaWNiUUED8UrMW=+nuWm0YrSnn7R6uu2kes1sNQ@mail.gmail.com> <1e6dd96f-2579-9f8f-5e6d-781c57c6f6f4@zentaur.org> <CAJot-L0qCWAMA3bSXVGCqmjeENoRpGkkdVY8BBnE0WZwesgvjw@mail.gmail.com> <37186697-9386-518f-7df5-05eebc8b35c5@zentaur.org> <CAJot-L0d3SmagSC_jp0YtpOWa6o+8cGSWRVtz+E+EQcL2dxm4Q@mail.gmail.com> <3aaf8a0e-82b4-12ee-ba8f-dff409615bda@zentaur.org> <CAJot-L0iGeitoJ+_McopYSuNqhLaUHs2mmKi8KB10jCn-F0g3Q@mail.gmail.com> <ce087f16-2113-04b1-3a1b-4e71a01be3a8@zentaur.org> <CAJot-L1VRo6nrZZyP1u-t+ZfJLfrmexmW3CNg=HsQ+N+X35ydw@mail.gmail.com>
From: Clinton Bunch <cdb_ietf@zentaur.org>
In-Reply-To: <CAJot-L1VRo6nrZZyP1u-t+ZfJLfrmexmW3CNg=HsQ+N+X35ydw@mail.gmail.com>
X-Antivirus: Avast (VPS 230402-4, 4/2/2023), Outbound message
X-Antivirus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/arfRRn5w0pnWNL3h40qbiG1H30c>
Subject: Re: [OAUTH-WG] A proposal for a new Internet Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2023 21:54:02 -0000
On 4/2/2023 4:44 PM, Warren Parad wrote: > If CalDAV is that spec, then wouldn't it make sense to request updates > to that spec to additionally define OAuth scopes? I don't think it > makes sense for the OAuth WG to define scopes for other specs, and I > also don't think updating the CalDAV spec is in the purview of this > working group. Instead the expectation is for specs using OAuth to > define their own scopes. In that light, might it make sense to review > the current working groups to find one that could take on the addendum > to the existing CalDAV spec? I considered posting this to calext or emailcore, but neither would be appropriate for all these scopes and Oauth would need to approve the IANA registration using this URI namespace. So I tried here first. > > On Sun, Apr 2, 2023 at 11:24 PM Clinton Bunch <cdbunch@zentaur.org> wrote: > > On 4/2/2023 4:06 PM, Warren Parad wrote: >> Why is this still hypothetical, is there a reason you don't want >> to share a concrete use case? > > I run a small e-mail and calendar server for my own use. > Thunderbird cannot provide Oauth authentication to my server > without knowing what scopes define email services or calendar > services or contacts services. It is impractical to expect > Thunderbird to map my specific scopes to those services and do the > same for thousands of other servers. So having a well-defined set > of scopes with well-defined semantics allows Thunderbird to use > the discovery protocol to see that my AS supports some or all of > those scopes. > > >> Sure, Thunderbird needs to understand the scopes mapped by email >> providers, but having shared scope names, does not imply the >> implementation of those scopes. So Thunderbird still has to >> maintain a map of "what it wants" to "what scope provides that by >> that service in question". Having standard scopes doesn't change >> that, it only hopefully convinces existing email providers to >> actually change their scope names. > Since most small providers don't currently have scopes defined > because the clients don't even try to support scopes except those > defined by the big players, this gives them a set of scopes that > can be reasonably supported by both the AS and the client without > manual configuration. >> >> Are existing email providers going to change their scope names? I >> can't see Google Calendar doing that. The problem with defining >> arbitrary strings that imply permissions, is that "what exactly >> those scopes means" is not trivially obvious. That is, as David >> Waite put it, does *calendar:update imply calendar:read*. Adding >> both to the oauth params still allows some providers to say >> *yes* while others say *no*. Which means we aren't just talking >> about adding scopes, we are talking about what those scopes >> imply. Before we can add scopes, I think we would need to first >> point to a globally accepted calendar service interface >> specification which we could use to draw inspiration from. >> However if such spec already existed, then the scopes would also >> exist. > > How is CalDAV not that spec? > > Yes, there may be places where the semantics are not quite > well-defined enough, that would be the point of having a discussion. > >> >> That is to say, a spec needs to exist before creating scopes, and >> if the spec did exist, the scopes would already be defined. For >> the that reason, I don't believe this this the best working group >> for that. >> >> >> On Sun, Apr 2, 2023 at 10:53 PM Clinton Bunch >> <cdb_ietf@zentaur.org> wrote: >> >> On 4/2/2023 3:13 PM, Warren Parad wrote: >>> I'm looking for proof that anyone actually needs these. >>> Introducing unnecessary scopes into the spec is both a waste >>> of time and needlessly complicates the documentation. So we >>> need there to be a real problem that is attempting to be >>> solved in which additional scopes is the right solution. >>> >>> I'm going to start off the conversation by saying, I think >>> this is a bad idea. Most services in the world do not have >>> any of these, and when they do the relevant scopes are >>> coupled to the relevant authorization server (AS). In other >>> words, you only define the scopes you want after reviewing >>> the documentation for the relevant AS. Defining new standard >>> scopes helps for interoperability, but there is zero >>> interoperability with scopes (the AS defines them, the Dev >>> picks them, and the User reviews them. Scopes don't carry >>> additional meaning cross platforms). So this seems like just >>> a really bad idea to me. >>> >>> Scopes do help with permissions and visibility in the >>> created id_token (or access_token), for instance let's say a >>> service wanted to link a user's access to their ethereum >>> wallet. In that case, a new scope like eth_wallet_id might >>> make sense, so that the wallet public key would show up in >>> the id_token to be directly used. >>> >>> But the scopes that have been proposed don't expose data in >>> the tokens, they define access. User contact information is >>> already available via *profile, email, address, and phone*. >>> That means not only are we talking about creating additional >>> scopes, we are also talking about expanding scopes in a way >>> that currently isn't used. Which brings us back to, what >>> problem are you trying to solve? >> >> >> Right now an email (or calendar or contact) client (such as >> Thunderbird) is in general written by an organization >> separate from the author of the resource server (such as >> Dovecot), which is different from the author of the >> authorization server. The authorization server may have >> several scopes it supports, so even using the discovery >> protocol, the client doesn't know how to choose the scopes it >> needs to request without those scopes being hard-coded per >> authorization server, or entered by the user. This would >> allow the client, AS, and resource server too use a common >> set of scopes to specify that this domain is offering >> groupware services and the scopes the client needs to >> request. It requires cooperation from the AS administrator, >> true, but both client and server know what the appropriate >> scopes are without further configuration. >> >> These clients may be used across thousandds of AS domains and >> having to hard-code the scopes for each is going to deter >> adoption of Oauth2 authentication, by limiting it to only a >> few domains. >> >> Another use case is connecting voice assistants to calendars >> hosted on servers of small organizations. The voice >> assistant needs to know what scopes to request for the token >> to access the users calendar. Right now that is limited to >> just the calendar services of a few large players which are >> hard-coded. >> >> Having the user enter the necessary scopes by hand, where the >> client has that capability, leads to a poor user experience. >> >> The point of these scopes is to allow small players in the >> field to use common implementations and have them work for a >> wide set of users without placing an undue burden on the user. >> >>> >>> On Sun, Apr 2, 2023 at 9:57 PM Clinton Bunch >>> <cdb_ietf@zentaur.org> wrote: >>> >>> On 4/2/2023 2:49 PM, Warren Parad wrote: >>>> But why these scopes? >>> >>> Separate read and write scopes for the three pieces of a >>> groupware service seemed appropriate. And separating >>> the three pieces of groupware seemed appropriate as not >>> all domains or users will use all of them. >>> >>> But since the most common use cases would include both >>> read and write, I defined short-hand scopes that >>> included both permissions. >>> >>> If that doesn't answer your question, then I'm not sure >>> what you're looking for. >>> >>>> >>>> On Sun, Apr 2, 2023 at 9:37 PM Clinton Bunch >>>> <cdb_ietf@zentaur.org> wrote: >>>> >>>> >>>> >>>> On 4/2/2023 2:26 PM, Warren Parad wrote: >>>>> Sorry, I'm asking why these scopes at all? I >>>>> personally have never seen any of them used ever >>>>> (and I'm not being hyperbolic), How did you come >>>>> up with these suggestions? >>>>> >>>> The naming seemed logical given the IANA URI >>>> namespace. I was looking for something that would >>>> be a common set of scopes for this application >>>> domain that wasn't tied to a single vendor. >>>> >>>> The purpose *could* be served by widespread >>>> adoption of Google's scopes such as >>>> >>>> https://www.googleapis.com/auth/calendar >>>> >>>> but I believe that the reliance on a specific >>>> vendor name would hamper wide-spread adoption, so a >>>> namespace defined by a neutral party such as IETF >>>> seemed best. >>>> >>>>> On Sun, Apr 2, 2023 at 8:46 PM Clinton Bunch >>>>> <cdb_ietf@zentaur.org> wrote: >>>>> >>>>> On 4/2/2023 1:34 PM, Warren Parad wrote: >>>>>> >>>>>> I propose a set of nine well-known scopes >>>>>> >>>>>> >>>>>> Can you elaborate on what you mean by >>>>>> "well-known"? Is there some canonical list, >>>>>> where these were pulled from? >>>>> >>>>> I was trying to avoid the use of standard, as >>>>> that implies they must be used. To encourage >>>>> adoption, I didn't want to imply that the >>>>> large providers would be required to change >>>>> their software to accommodate these, though it >>>>> would be nice if they did. These scopes are >>>>> not currently in use as far as I know. >>>>> >>>>> The sense of well-known is that once this was >>>>> published they would be well-known scopes that >>>>> could be implemented with well-defined semantics. >>>>> >>>>>> >>>>>> - Warren >>>>>> >>>>>> On Sun, Apr 2, 2023 at 8:12 PM Clinton Bunch >>>>>> <cdb_ietf@zentaur.org> wrote: >>>>>> >>>>>> This seemed the most appropriate working >>>>>> group to post this suggestion. >>>>>> >>>>>> I would like to see a new >>>>>> Internet-Draft/RFC to add some well-known >>>>>> scopes to the IANA registry to promote >>>>>> adoption of Oauth in Groupware >>>>>> domains. I will try to write it myself, >>>>>> but have no experience with >>>>>> I-Ds or as a technical writer and could >>>>>> use some help. >>>>>> >>>>>> Since the publication of RFC 7628 there >>>>>> is a push to migrate groupware >>>>>> servers to use Oauth2. This is hampered >>>>>> by the fact that there are >>>>>> several different server implementations >>>>>> and client implementations are >>>>>> often written by different organizations >>>>>> with little overlap. One of >>>>>> the barriers to widespread adoption is >>>>>> that each authorization server >>>>>> has a different set of scopes to cover >>>>>> the necessary user >>>>>> authorizations. One groupware client I >>>>>> know has only a few Auth Servers >>>>>> available that are hardcoded and nearly >>>>>> every one has a different set of >>>>>> scopes. Servers have to have appropriate >>>>>> scopes configured by the >>>>>> administrator in order for the server to >>>>>> know which scopes to check. It >>>>>> also makes it hard for clients to know >>>>>> which scopes to request without >>>>>> some sort of configuration file provided >>>>>> by the domain or worse, having >>>>>> the user enter the appropriate scopes by >>>>>> hand. The latter especially >>>>>> seems like a support headache for the >>>>>> admin of the groupware servers. >>>>>> >>>>>> I propose a set of nine well-known scopes >>>>>> be added to the Oauth URI IANA >>>>>> registry to address this. >>>>>> >>>>>> urn:ietf:params:oauth:scope:mail:read >>>>>> - Authorization to read >>>>>> email (IMAP,POP) >>>>>> urn:ietf:params:oauth:scope:mail:send >>>>>> - Authorization to send >>>>>> mail on the user's behalf (SMTP) >>>>>> urn:ietf:params:oauth:scope:mail >>>>>> - Combination of the >>>>>> previous two scopes >>>>>> urn:ietf:params:oauth:scope:calendar:read >>>>>> - Authorization to read >>>>>> calendar entries >>>>>> urn:ietf:params:oauth:scope:calendar:update >>>>>> - Authorization to >>>>>> update/create/delete calendar entries >>>>>> urn:ietf:params:oauth:scope:calendar >>>>>> - Combination of the >>>>>> previous two scopes >>>>>> urn:ietf:params:oauth:scope:contacts:read >>>>>> - Authorization to read >>>>>> contacts information >>>>>> urn:ietf:params:oauth:scope:contacts:update >>>>>> - Authorization to >>>>>> update/create/delete contact information. >>>>>> urn:ietf:params:oauth:scope:contacts >>>>>> - Combination of the >>>>>> previous two scopes >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> >>>> >>> >> >
- Re: [OAUTH-WG] A proposal for a new Internet Draft David Waite
- [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Warren Parad
- Re: [OAUTH-WG] A proposal for a new Internet Draft Kai Lehmann
- Re: [OAUTH-WG] A proposal for a new Internet Draft Clinton Bunch
- Re: [OAUTH-WG] A proposal for a new Internet Draft Dave Tonge