IETF Logo Mail Archive

[OAUTH-WG] 'Scope' parameter proposal

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 19 April 2010 16:44 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DD5B3A6CCD for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 09:44:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.463
X-Spam-Level:
X-Spam-Status: No, score=-2.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BRr1WTFu8t4 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 09:44:06 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 4C75E28C3CB for <oauth@ietf.org>; Mon, 19 Apr 2010 09:25:35 -0700 (PDT)
Received: (qmail 17718 invoked from network); 19 Apr 2010 16:25:26 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Apr 2010 16:25:26 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 19 Apr 2010 09:25:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Mon, 19 Apr 2010 09:25:16 -0700
Thread-Topic: 'Scope' parameter proposal
Thread-Index: Acrf3OTsH3nwWGe+ikabEbV7IE0sxQ==
Message-ID: <C7F1D1FC.32809%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 16:44:07 -0000

Proposal:

'scope' is defined as a comma-separated list of resource URIs or resource
groups (e.g. contacts, photos). The server can provide a list of values for
the client to use in its documentation, or the client can use the URIs or
scope identifier of the protected resources it is trying to access (before
or after getting a 401 response).

For example:

1. Client requests resource

    GET /resource HTTP/1.1
    Host: example.com

2. Server requires authentication

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: Token realm='Example', scope='x2'

3. Client requests an access token by including scope=x2 in the request

Alternatively, the client can ask for an access token with
scope=http://example.com/resource.

If the client needs access to two resource with different scopes, it
requests an access token for scope=x2,x1.

That's it!

It allows the client to figure out what value to put in the scope parameter
and how to encode multiple scopes without any server-specific documentation.
Servers that wish to rely exclusively on paperwork can just omit the scope
parameter from the WWW-Authenticate header.

We can pick a different separator (space, semicolon, etc.) or different
parameter name (resource(s)).

EHL

v2.23.0 | Report a Bug | By Email