IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Tim Bray <twbray@google.com> Mon, 15 April 2013 16:55 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531FD21F9607 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 09:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmMbuSYP2ifg for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 09:55:09 -0700 (PDT)
Received: from mail-ia0-x232.google.com (mail-ia0-x232.google.com [IPv6:2607:f8b0:4001:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id DB9B321F93E5 for <oauth@ietf.org>; Mon, 15 Apr 2013 09:55:08 -0700 (PDT)
Received: by mail-ia0-f178.google.com with SMTP id w21so2810459iac.9 for <oauth@ietf.org>; Mon, 15 Apr 2013 09:55:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=lzqp5TV98E/ak1nhSGr3gzarBq828IK/eEaCJxQdoNs=; b=jURjWfDeKhDTZrGf4z7c9qrKO04rRmd0CRUTlytQJVoWzGJD9Kofa6r3aX37AQYYxK 0JTos+eTYiV9LL1m2PIv0M5sVl3QPH/iA7ZIZfmwUx5k3bFKgPaF2a2Iy1T62rA9k4dL HqDlqzgfPPlwCYrF7SGL5YR4ywnyeQn7YsrudxYLGgu9PTRIPbBTqMgk+NAc/MlqIroz YQbSMT6w39Dm1U5tEM/+bZeip+c6weOSlevDHulFgbOKsMo4kUTRkWJ37s96zf0hW4O9 UjgjYXnq+iZziko0Kfbd9DwyloulYyvbIbppW1BtELRTrSpcsh3+WtXCnnhMT1CDJTXh C+kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=lzqp5TV98E/ak1nhSGr3gzarBq828IK/eEaCJxQdoNs=; b=PAlO6KL/+j76H38wLFQ1NK0KAAWIQy4RXeNxqKjXfZim9v5CPZj+24gtWU2mW3ZIn6 VOhhemuZQIFHFtg4SHm2paFJddCDpnhYxF002Y1UthHEmmtJj4bD6JZ5JDWk0cewfxy/ DI5bbLKgU4Fcq6LCtyrsHXxHXoM01TgGvQolYlJ4CXoCJxMkpSml0Jc+luR13J4aINv8 oNfUe2iWdKk6r18ufE8z8vgG/xEANAKh1rYT7Ymbs/5GWCl/LxJlX0CJL235fQNTw/zQ vgr3mmmBA6sK3s1DgYJogrWAsKWKGjtKJdhBn2P9z40d2cWN57J7pN7s4IS8ko/3nc+l 3HJg==
X-Received: by 10.50.72.83 with SMTP id b19mr5626657igv.71.1366044908415; Mon, 15 Apr 2013 09:55:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.31.35 with HTTP; Mon, 15 Apr 2013 09:54:38 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org> <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com> <516C101F.2090706@mitre.org> <CA+ZpN27KNr0TLsAjt29PCQXqfFYkzP7Fr7y_2wibHfVu3R=UMA@mail.gmail.com> <516C1714.8070503@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com>
From: Tim Bray <twbray@google.com>
Date: Mon, 15 Apr 2013 09:54:38 -0700
Message-ID: <CA+ZpN26Y6RU2KK=yB8LPQXYD-W62P+kdieqaqfwZ2Nnrno65Kg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="047d7bdc19d483887104da691d1d"
X-Gm-Message-State: ALoCoQm4ltK/vIM2UK1yznVtzr9rds1Mma77PSjD6rgoD8IFmniVMK9EvD6z1fffoYxpIdChMm2mL8S5sXZ44TxgUPH2rkGTHdp/grNN6SJ1p61Gdo7M0F/bIE43dnML2XKXs/SQ4duok+DWCwt/S5lpl7bKL4/zW2lB8tV6+PnpOkogD041yeD42xd2gSXnFxXmLM3PE1+n
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 16:55:10 -0000

On Mon, Apr 15, 2013 at 9:44 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  So I’d propose that we leave the existing scope wording in place.
> Alternatively, I’d also be fine with deleting this feature entirely, as I
> don’t think it’s useful in the general case.
>

I think we might well have a use for this, so that’s something of an
existence proof.  So I’d prefer if we could leave it in. -T



>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Justin Richer
> *Sent:* Monday, April 15, 2013 8:05 AM
> *To:* Tim Bray; oauth@ietf.org
>
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ** **
>
> On 04/15/2013 10:52 AM, Tim Bray wrote:
>
> ****
>
> I’d use the existing wording; it’s perfectly clear.  Failing that, if
> there’s strong demand for registration of structured scopes, bless the use
> of regexes, either PCREs or some careful subset.****
>
>
> Thanks for the feedback -- Of these two choices, I'd rather leave it
> as-is.
>
>
> ****
>
> ** **
>
> However, I’d subtract the sentence “If omitted, an Authorization Server
> MAY register a Client with a default set of  scopes.”  It adds no value; if
> the client doesn’t declare scopes, the client doesn’t declare scopes,
> that’s all.  -T****
>
>
> Remember, all of these fields aren't just for the client *request*,
> they're also for the server's *response* to either a POST, PUT, or GET
> request. (I didn't realize it, but perhaps the wording as stated right now
> doesn't make that clear -- I need to fix that.) The value that it adds is
> if the client doesn't ask for any particular scopes, the server can still
> assign it scopes and the client can do something smart with that. Dumb
> clients are allowed to ignore it if it doesn't mean anything to them.
>
> This is how our server implementation actually works right now. If the
> client doesn't ask for anything specific at registration, the server hands
> it a bag of "default" scopes. Same thing happens at auth time -- if the
> client doesn't ask for any particular scopes, the server hands it all of
> its registered scopes as a default. Granted, on our server, scopes are just
> simple strings right now, so they get compared at the auth endpoint with an
> exact string-match metric and set-based logic.
>
>  -- Justin
>
>
> ****
>
> ** **
>
> On Mon, Apr 15, 2013 at 7:35 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> What would you suggest for wording here, then? Keeping in mind that we
> cannot (and don't want to) prohibit expression-based scopes.
>
>  -- Justin ****
>
> ** **
>
> On 04/15/2013 10:33 AM, Tim Bray wrote:****
>
>  No, I mean it’s not interoperable at the software-developer level.  I
> can’t register scopes at authorization time with any predictable effect
> that I can write code to support, either client or server side, without
> out-of-line non-interoperable knowledge about the behavior of the server.
> ****
>
> ** **
>
> I guess I’m just not used to OAuth’s culture of having no expectation that
> things will be specified tightly enough that I can write code to implement
> as specified.  -T****
>
> ** **
>
> On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> Scopes aren't meant to be interoperable between services since they're
> necessarily API-specific. The only interoperable bit is that there's *some*
> place to put the values and that it's expressed as a bag of space-separated
> strings. How those strings get interpreted and enforced (which is really
> what's at stake here) is up to the AS and PR (or a higher-level protocol
> like UMA).
>
>  -- Justin ****
>
> ** **
>
> On 04/15/2013 10:13 AM, Tim Bray wrote:****
>
> This, as written, has zero interoperability.  I think this feature can
> really only be made useful in the case where scopes are fixed strings.****
>
> -T****
>
> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org> wrote:****
>
> You are correct that the idea behind the "scope" parameter at registration
> is a constraint on authorization-time scopes that are made available. It's
> both a means for the client to request a set of valid scopes and for the
> server to provision (and echo back to the client) a set of valid scopes.
>
> I *really* don't want to try to define a matching language for scope
> expressions. For that to work, all servers would need to be able to process
> the regular expressions for all clients, even if the servers themselves
> only support simple-string scope values. Any regular expression syntax we
> pick here is guaranteed to be incompatible with something, and I think the
> complexity doesn't buy much. Also, I think you suddenly have a potential
> security issue if you have a bad regex in place on either end.
>
> As it stands today, the server can interpret the incoming registration
> scopes and enforce them however it wants to. The real trick comes not from
> assigning the values to a particular client but to enforcing them, and I
> think that's always going to be service-specific. We're just not as clear
> on that as we could be.
>
> After looking over everyone's comments so far, I'd like to propose the
> following text for that section:
>
> ****
>
>    scope****
>
>       OPTIONAL.  Space separated list of scope values (as described in****
>
>       OAuth 2.0 Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when ****
>
>       requesting access tokens.  As scope values are service-specific, ****
>
>       the Authorization Server MAY define its own matching rules when****
>
>       determining if a scope value used during an authorization request****
>
>       is valid according to the scope values assigned during ****
>
>       registration. Possible matching rules include wildcard patterns,****
>
>       regular expressions, or exactly matching the string. If omitted, ****
>
>       an Authorization Server MAY register a Client with a default ****
>
>       set of scopes.****
>
>
> Comments? Improvements?
>
>  -- Justin
>
> ****
>
> On 04/14/2013 08:23 PM, Manger, James H wrote:****
>
> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.****
>
> ** **
>
> So ideally registration should accept rules for matching scopes, as opposed to actual scope values.****
>
> ** **
>
> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").****
>
> ** **
>
> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.****
>
> ** **
>
> --****
>
> James Manger****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>  ** **
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>

v2.23.0 | Report a Bug | By Email