Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
Blaine Cook <romeda@gmail.com> Fri, 25 June 2010 14:53 UTC
Return-Path: <romeda@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9163F3A6956 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 07:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M36WfhPnOHv8 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 07:52:59 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 98D063A6832 for <oauth@ietf.org>; Fri, 25 Jun 2010 07:52:59 -0700 (PDT)
Received: by pvc21 with SMTP id 21so1300231pvc.31 for <oauth@ietf.org>; Fri, 25 Jun 2010 07:53:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=pQL7NfqJ3BlUnmyF1e+W/X63Pj1VMG10Em6haeMiVGo=; b=u4+IUGgkZ6oIuTR1Vt8IiD4WFh5sOMTekpBYmvzgdtHDaHjGAwPKWsRfcjBPOUUpDL vYjnlDqe/f1TrjOGU61V/2a7RuAp6ra6C7zbbfAlidj0X5xM4XppWJwODnZuPe8uj+h3 9qTOY0+EJf0hx/wzvf/JMOxuv5eca/idu9nes=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=J3I76lmO97+2P1GfFUcUKTSm6mj3dVULULA7gHVRJFkUn8r7AVA3Nhv7RWHovkyZCJ YSZ5rWFhW3k0l2tDDgop5hCJbVZWZSpBrQWnt1VKTfpJnqDvA2BNNOG0X96xcmvfpPTb eJg7scOdginT7X9f8NyFQYtl4Bw8mZxU40MAw=
Received: by 10.143.26.19 with SMTP id d19mr1012285wfj.160.1277477584505; Fri, 25 Jun 2010 07:53:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.41.11 with HTTP; Fri, 25 Jun 2010 07:52:44 -0700 (PDT)
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B450286986B@FIESEXC015.nsn-intra.net>
References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net> <E7A7F197-3BBC-43F2-8242-D0164057A39A@gmail.com> <AANLkTild51WHVcXxYFCygL8sGSGiN3HILDFwIbym6Lfi@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4502869858@FIESEXC015.nsn-intra.net> <012AB2B223CB3F4BB846962876F47217059B663D@SNV-EXVS08.ds.corp.yahoo.com> <3D3C75174CB95F42AD6BCC56E5555B450286986B@FIESEXC015.nsn-intra.net>
From: Blaine Cook <romeda@gmail.com>
Date: Fri, 25 Jun 2010 15:52:44 +0100
Message-ID: <AANLkTinOJ-t3XLweZpcWbgtKKGlCfVD_-Md08hVsCXM9@mail.gmail.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 14:53:02 -0000
I agree with Dick that the scope should remain out of scope for OAuth. ;-) Having a shared parameter here gives the illusion of interoperability, but because there's no common understanding of permissible scopes, there's no way to guarantee that any given client-server pair could expect to produce predictable outcomes. Furthermore, limiting the format of the scope prematurely means that we give up on a whole set of possibilities before we've even had a chance to see what those possibilities are. For example, YQL might want to allow a scope to be defined like "SELECT * FROM flickr" or something similar. Maybe scope is implicit in assertions, or even explicit. Scope might be tied to the degree to which the requesting and/or granting parties are trusted by the service provider. If there were a compelling story about how scope is supposed to realistically achieve greater interoperability, it might be worthwhile for us to consider it. In the meantime, though, I think it just represents the same featuritis drive that got us an under-specified (and more harmful than helpful) version parameter in OAuth 1.0. b. On 25 June 2010 08:59, Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com> wrote: > Dick pointed me to the Facebook API on how scope is used. > The main page is here: > http://developers.facebook.com/docs/authentication/ > > It describes the basic functionality and also lists an example: > > " > https://graph.facebook.com/oauth/authorize? > client_id=...& > redirect_uri=http://www.example.com/callback& > scope=user_photos,user_videos,publish_stream > " > > The values of the scope parameter are then explained here: > http://developers.facebook.com/docs/authentication/permissions > > Example: user_photos ... Provides access to the photos the user has uploaded > > I think it provides a good example that the scope values are not opaque. > Opaque (in this context) means that only the entity creating it needs to understand it and nobody else. Here the client needs to understand and set them. > > However, one could argue that the scope values are already bound to the specific entity the client requests to obtain the assertion from. In this specific case it would be "https://graph.facebook.com". > > To respond to the statement Dick made about having standardized values later there would still be the need to decide about the structure of the values now. One possibility is to just add a prefix for standardized values that are not allowed to be used in other cases, such as "std:". > > Ciao > Hannes > > >> -----Original Message----- >> From: ext William Mills [mailto:wmills@yahoo-inc.com] >> Sent: Thursday, June 24, 2010 8:15 PM >> To: Tschofenig, Hannes (NSN - FI/Espoo); ext Lukas >> Rosenstock; Dick Hardt >> Cc: OAuth WG >> Subject: RE: [OAUTH-WG] Scope :: Was: Extensibility for OAuth? >> >> I'm in favor of having a spaces separated list of tokens. >> The only case I can think of where the client needs to handle >> the scope as anything other than opaque is when it is >> accessing multiple services. To reduce the numebr of login >> events the client will have to poll all the endpoints it >> wants to access and get all the scopes advertized by them and >> submit them all, and once it has them it needs to submit all >> of them in it's auth request, so we need something that's >> easy for the client to put together. >> >> >> -bill >> >> > -----Original Message----- >> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] >> > On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo) >> > Sent: Thursday, June 24, 2010 3:58 AM >> > To: ext Lukas Rosenstock; Dick Hardt >> > Cc: OAuth WG >> > Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth? >> > >> > The question is whether one would ever want to have a >> > standardized semantic for the scope parameter. >> > If the answer to that question is "no" then it does not >> > matter what the format is. It can well be a list of >> > space-delimited strings (as it is currently defined). >> > >> > An evironment specific semantic works well in cases where >> > entity X sets the value and later it receives the value >> > again. Only entity X needs to understand what it means. >> > >> > In some environments the use case is slightly different, >> > namely entity X and entity Y are from the same organization >> > and agree on the semantic. Usage of OAuth within an >> > enterprise might be such a case. >> > >> > Now, the usage of the scope parameter is, however, a bit >> > different in the spec. Section 4, for example, describes how >> > a client obtains an access token. How does the client know >> > what scope parameters to set and what the semantic is? >> > >> > Ciao >> > Hannes >> > >> > > -----Original Message----- >> > > From: ext Lukas Rosenstock [mailto:lr@lukasrosenstock.net] >> > > Sent: Thursday, June 24, 2010 10:49 AM >> > > To: Dick Hardt >> > > Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG >> > > Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth? >> > > >> > > Wasn't there some concensus that URIs would be good for >> scope? They >> > > have "in-built namespacing" ... >> > > >> > > Lukas >> > > >> > > 2010/6/23 Dick Hardt <dick.hardt@gmail.com>: >> > > > >> > > > On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN - >> > > FI/Espoo) wrote: >> > > > >> > > >> " >> > > >> scope >> > > >> OPTIONAL. The scope of the access request >> > > expressed as a list >> > > >> of space-delimited strings. The value of the >> > > "scope" parameter >> > > >> is defined by the authorization server. If the >> > > value contains >> > > >> multiple space-delimited strings, their order does >> > > not matter, >> > > >> and each string adds an additional access range to the >> > > >> requested scope. >> > > >> " >> > > >> >> > > >> Do folks think it would be useful to have standardized values? >> > > > >> > > > Not at this time. The semantics of scope are all over the >> > > place. If standardized, people will feel they need to pick >> > one that is >> > > close to what they want, but is not exactly what they mean. >> > I think it >> > > is better for the AS to define what they mean by a scope >> > and give it a >> > > name that makes sense in that context. >> > > > >> > > >> >> > > >> If the answer is "yes", then it would be useful to >> > > differentiate the >> > > >> standardized values from those values that are purely >> > > defined locally by >> > > >> the authorization server. >> > > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Extensibility for OAuth? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… William Mills
- [OAUTH-WG] Scope :: Was: Extensibility for OAuth? Dick Hardt
- Re: [OAUTH-WG] Extensibility for OAuth? Thomas Hardjono
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Lukas Rosenstock
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Justin Richer
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Dick Hardt
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Justin Richer
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Blaine Cook
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Dick Hardt
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Dick Hardt
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Luke Shepard
- Re: [OAUTH-WG] Extensibility for OAuth? Eran Hammer-Lahav
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Eran Hammer-Lahav
- Re: [OAUTH-WG] Extensibility for OAuth? Dick Hardt
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Eran Hammer-Lahav
- Re: [OAUTH-WG] Extensibility for OAuth? Eran Hammer-Lahav
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Dick Hardt
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Eran Hammer-Lahav
- Re: [OAUTH-WG] Extensibility for OAuth? Dick Hardt
- Re: [OAUTH-WG] Extensibility for OAuth? Eran Hammer-Lahav
- Re: [OAUTH-WG] Scope :: Was: Extensibility for OA… Justin Hart