Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
"Donald Coffin" <donald.coffin@reminetworks.com> Mon, 17 February 2014 18:54 UTC
Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37D911A0275 for <oauth@ietfa.amsl.com>; Mon, 17 Feb 2014 10:54:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEhBBDFl2MGp for <oauth@ietfa.amsl.com>; Mon, 17 Feb 2014 10:54:16 -0800 (PST)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) by ietfa.amsl.com (Postfix) with SMTP id 23A511A01D6 for <oauth@ietf.org>; Mon, 17 Feb 2014 10:54:16 -0800 (PST)
Received: (qmail 28087 invoked by uid 0); 17 Feb 2014 18:54:07 -0000
Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy4.mail.unifiedlayer.com with SMTP; 17 Feb 2014 18:54:07 -0000
Received: from host125.hostmonster.com ([74.220.207.125]) by cmgw3 with id Tdu31n0062is6CS01du6AS; Mon, 17 Feb 2014 18:54:06 -0700
X-Authority-Analysis: v=2.1 cv=RodWckWK c=1 sm=1 tr=0 a=Ux/kOkFFYyRqKxKNbwCgLQ==:117 a=Ux/kOkFFYyRqKxKNbwCgLQ==:17 a=DsvgjBjRAAAA:8 a=f5113yIGAAAA:8 a=d-K1uXnm4cMA:10 a=8dE94GJacnkA:10 a=UGkfVyPCAAAA:8 a=S71PjDr2FGoA:10 a=rE68L1KyjUoA:10 a=DAwyPP_o2Byb1YXLmDAA:9 a=Zr7miEi8wWIA:10 a=cKsnjEOsciEA:10 a=CjxXgO3LAAAA:8 a=48vgC7mUAAAA:8 a=4RBUngkUAAAA:8 a=1XWaLZrsAAAA:8 a=gixh_PhHDU-PWTW1PUcA:9 a=MjkDcUoFo5yP9Q5e:21 a=RWVy7Aawaag9Ay2c:21 a=QEXdDO2ut3YA:10 a=3uZdkJafswoA:10 a=VQchPmBwTIUA:10 a=wNReZwrxAf8A:10 a=c4S9Whzb7AQA:10 a=0qEjrYlnuRwA:10 a=rC2wZJ5BpNYA:10 a=lZB815dzVvQA:10 a=nsSs_srodhIA:10 a=Bm6qEjDGwGEA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=6C7RrwKVwbBGpfTs:21 a=y9_PSBz55XQQh9lx:21 a=39qFx1uVXpT0N5Ag:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=tXsnliwV7b4A:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:Cc:To:From; bh=JMCLvN/rKGrtPXc/xC4TsRuSfPwvKtl8H08uHWygb/8=; b=YlQQgcaoNr6sdtDR5edFrQaD+UnfaZTJZQspYcx3f6NVWbbzfLirQWIMsMsfHEbzhpdkqqD2jXPzAiknsVp/HZNTJ4UlKsOFvs9gGtGr8EGe9Iwpi1nxpzRi9gzFY4BF;
Received: from [68.5.51.152] (port=50173 helo=HPPavilionElite) by host125.hostmonster.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <donald.coffin@reminetworks.com>) id 1WFTKO-0001Xp-CC; Mon, 17 Feb 2014 11:54:04 -0700
From: Donald Coffin <donald.coffin@reminetworks.com>
To: 'Bill Mills' <wmills_92105@yahoo.com>, 'Marty Burns' <marty@hypertek.us>, oauth@ietf.org
References: <002301cf2ac2$f0053990$d00facb0$@reminetworks.com> <1392525020.7390.YahooMailNeo@web142801.mail.bf1.yahoo.com> <000e01cf2b7d$79a66c90$6cf345b0$@reminetworks.com> <0e9117b9bb80c29d3e3a53ab64392e94@mail.gmail.com> <1392616900.46009.YahooMailNeo@web142801.mail.bf1.yahoo.com> <005401cf2bac$fa684360$ef38ca20$@reminetworks.com> <1392656976.93122.YahooMailNeo@web142805.mail.bf1.yahoo.com> <008501cf2c09$f6504fe0$e2f0efa0$@reminetworks.com> <1392661360.99627.YahooMailNeo@web142803.mail.bf1.yahoo.com>
In-Reply-To: <1392661360.99627.YahooMailNeo@web142803.mail.bf1.yahoo.com>
Date: Mon, 17 Feb 2014 10:53:31 -0800
Organization: REMI Networks
Message-ID: <00a701cf2c11$8f2c1210$ad843630$@reminetworks.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A8_01CF2BCE.811184A0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEnOl+8JZU1HiFwOiLE96BHahHifwH2C3usAiM9j6kCwG9IxgKKA/s1AbcqxNsBkstolgKirZe+AXuQexCbg03acA==
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth 68.5.51.152 authed with donald.coffin@reminetworks.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/eKXzy2HMWIWttwypGncapS6bzDo
Cc: 'greenbutton-dev' <greenbutton-dev@googlegroups.com>
Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 18:54:20 -0000
Bill, Expiration of the access token is defined by the authorization server and returned to the client as part of the access token JSON response. I’m not sure I understand the “scope name” and “max allowable records” portion of your question. Can you clarify? Some of the group believe the contents of the SCOPE parameter is a suggestion to the client of the data available from the resource server and NOT a limiting value of the data a client may access. Can you comment on your interpretation of the meaning of the SCOPE parameter? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: <mailto:donald.coffin@reminetworks.com> donald.coffin@reminetworks.com From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Monday, February 17, 2014 10:23 AM To: Donald Coffin; 'Marty Burns'; oauth@ietf.org Cc: 'greenbutton-dev' Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens And how exactly does that apply to scope name, expiry, or max allowable records fetched? On Monday, February 17, 2014 9:59 AM, Donald Coffin <donald.coffin@reminetworks.com> wrote: Bill, Our design does not include any identifiable information be passed within the token, as the standard being implemented (Energy Service Provider Interface) has the requirement that no personal identifiable information be exchanged between Third Parties (i.e. clients) and Data Custodians (i.e. authorization and resource servers). Therefore, the tokens being generated are ubiquitous values with no direct information the recipient can use to access resource information. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Monday, February 17, 2014 9:10 AM To: Donald Coffin; 'Marty Burns'; oauth@ietf.org Cc: 'greenbutton-dev' Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens Yes, token #1 with that scope could only access resource #3 and #4 in your example, the other resources don't allow that scope. The only solution in spec is to have the other resource owners allow a scope that token #1 has. You're apparently overloading a bunch of stuff in the scope that most would put in the access token. Are you trying to give a hint to the client about the token? On Sunday, February 16, 2014 10:54 PM, Donald Coffin <donald.coffin@reminetworks.com> wrote: Bill, We understand, per [RFC 6749], the granted SCOPE does not have to match the requested SCOPE, however, in our application a client does an exchange of supported Authorization Server Scopes to ensure the resource owner is NOT asked by the client to select a SCOPE parameter the Authorization Server will be forced to override. We also understand, per [RFC 6740], the SCOPE parameter is a space delimited list. Therefore, the following two examples are not the same: · FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 · FB=4_5_15 IntervalDuration=900 BlockDuration=monthly HistoryLength=13 BR=04 The first string represents a single SCOPE parameter, but the second string represents five (5) different SCOPE parameters. Our original definition of the SCOPE string used commas (“,”) where the first example has semi-colons (“;”), however, we found the Spring Security OAuth 2.0 framework treats commas as blanks to support a Facebook SCOPE implementation. This has recently been refactored to support the [RFC 6749] SCOPE definition, as it was found that though Facebook’s documentation calls for commas as SCOPE parameter separators, this was never implemented by Facebook. The following table defines a potential table of access tokens based on granted SCOPE strings: Owner SCOPE Grant Type Access Token Accessible by Access Token Client FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Client_credentials Token 1 NA** RO 1 FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Code Token 2 Token 2 RO 1 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Code Token 3 Token 3 RO 2 FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 4 Token 4 RO 3 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 5 Token 5 & Token 1 RO 4 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 6 Token 6 & Token 1 ** Token 1 is owned by the client and therefore does NOT own any resources for which access can be authorized. The question we are attempting to resolve is which resources can the owner of Token 1 access given the above table? If the owner of Token 1 is allowed to access ALL resources represented by Tokens 2 – 6, then we do not need to worry about identifying which resources can be accessed by using Token 1. However, if Token 1 can only be used to access the resources authorized by resource owner (RO) 3 and 4, then what is the criteria that must be used to validate that Token 1, when used, is able to access the requested resource? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Sunday, February 16, 2014 10:02 PM To: Marty Burns; Donald Coffin; oauth@ietf.org Cc: greenbutton-dev Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens The scope requested does not have to match the scope granted. Also note that space is the scope separator per the spec, so BR=04 is not equal to FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 but it's your implementation of how you want to interpret scopes. On Sunday, February 16, 2014 5:36 PM, Marty Burns <marty@hypertek.us> wrote: Don, Good comment. One point – the authorizations covered by BulkId=04 would have Scopes of: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Marty From: greenbutton-dev@googlegroups.com [mailto:greenbutton-dev@googlegroups.com] On Behalf Of Donald Coffin Sent: Sunday, February 16, 2014 8:14 PM To: 'Bill Mills'; oauth@ietf.org Cc: 'greenbutton-dev' Subject: RE: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens Bill, Thanks for your reply, but I’m not sure you fully understand the situation I am attempting to resolve. For example, does an access token obtained via the “client_credentials” request with the following SCOPE parameter: BulkID=04 allow a client to ask for resources when the individual access token contained the following SCOPE parameter: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 The question is what individual access token authorization should be covered by the “client_credentials” based access token? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Saturday, February 15, 2014 8:30 PM To: Donald Coffin; oauth@ietf.org Cc: greenbutton-dev Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens To tokens themselves don't differ based on how they are obtained unless you want them to. No requirement to match scope to the client ID either, but again it's up to you. You do want to get this right. The challenge here is that your resource servers have to get updated to support new scopes. If they support auto-updates then it's not quite as big a deal but it's still non-trivial. -bill On Saturday, February 15, 2014 7:01 PM, Donald Coffin <donald.coffin@reminetworks.com> wrote: I would like to get the views and comments of the OAuth 2.0 IETF WG on the following design and implementation question: I have an application that supports both “authorization_code” and “client_credentials” based access tokens. The application allows a client to obtain data on a nightly basis for resource owners who have granted the application access to their data. The client application retrieves energy usage information and can potentially need to retrieve data from a few accounts to several million accounts. In order to eliminate the need for the client application to request the data from the resource server one account at a time, the client application has been designed to support “client_credentials” based access tokens. Per [RFC 6749 Section 4.4 – “Client Credentials Grant”] The use of the “client_credentials” based access token will allow the client application to obtain access to the data with a single request, thus significantly reducing the amount of network traffic for both the client and the resource server. The question the design team is struggling with is what should the Scope string be for the “client_credentials” based access token and should there be a single access token or can there be multiple “client_credentials” based access tokens? The client application currently supports the following Scope definitions: · FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 · FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 There are several allowable values for the FB=, IntervalDuration=, BlockDuration=, and HistoryLength= values. At the moment, there are only two defined Scope values, but as you can see, there could easily be many more potential possibilities. The question being discussed, is does the “client_credentials” access token request Scope parameter need to match either of the above two strings or can it be something altogether different? In the event the “client_credentials” access token request Scope parameter needs to match a defined Scope string, does that mean that there MUST be multiple “client_credentials” based access tokens? Thanks in advance for helping clarify our understanding of the relationship between “authorization_code” and “client_credentials” based access tokens. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- You received this message because you are subscribed to the Google Groups "greenbutton-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to greenbutton-dev+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
- [OAUTH-WG] Scope parameter values for "authorizat… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Marty Burns