IETF Logo Mail Archive

Re: [OAUTH-WG] resource server id needed?

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 15 July 2010 22:49 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FA2B3A6B9B for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 15:49:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rd4geA5fkQX9 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 15:49:22 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.39]) by core3.amsl.com (Postfix) with ESMTP id BCA8F3A6BB8 for <oauth@ietf.org>; Thu, 15 Jul 2010 15:49:20 -0700 (PDT)
Received: from p4ffd0e52.dip.t-dialin.net ([79.253.14.82] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OZXEu-0002AN-DQ; Fri, 16 Jul 2010 00:49:12 +0200
Message-ID: <4C3F9064.6060604@lodderstedt.net>
Date: Fri, 16 Jul 2010 00:49:08 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <C8645B85.372D8%eran@hueniverse.com> <4C3F3F6A.5000409@lodderstedt.net> <AANLkTinIjg7MIBmEIUzV9_Uo3MDb0nXvYXJcXNeLTUCe@mail.gmail.com>
In-Reply-To: <AANLkTinIjg7MIBmEIUzV9_Uo3MDb0nXvYXJcXNeLTUCe@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] resource server id needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 22:49:23 -0000

Am 15.07.2010 20:14, schrieb Marius Scurtescu:
> On Thu, Jul 15, 2010 at 10:03 AM, Torsten Lodderstedt
> <torsten@lodderstedt.net>  wrote:
>    
>> As I have written in my reply to Marius's posting. I'm fine with including
>> server ids in scopes. But this requires a definition of the scope's syntax
>> and semantics in the spec. Otherwise, scope interpretation (and server
>> identification) will be deployment specific.
>>      
> Sure, it is deployment specific, but why is that an issue?
>
> In your case, the authz server and all the resource servers are
> managed by the same organization, right?
>
> Do clients need to be aware of the actual resource server?
>
> You can probably create a separate spec that defines scope syntax for
> this purpose, if really needed. Does it have to be in core?
>
> Marius
>    

Solving the challenge I described in a deployment specific way is not an 
issue. But the consequence is that authz server, resource servers and 
clients are tight together.

Let me ask you one question: Why are we working together towards a 
standard protocol? I can tell you my expectations: I hope there will be 
broad support not only by libraries, but also by ready-to-use services 
and clients, so we could integrate such services into our deployment 
easily. Moreover, I would like to see OAuth to be included in 
application/service protocols like PortableContacts, SIP, WebDAV, IMAP, ...

So what if I would like to use standard clients to access our services? 
Using scopes for specifying resource server id's in this case is also 
simple - if you take an isolated view. But since scopes may be used to 
specifiy a lot of other things, like resources, permissions, and 
durations, handling w/o a more detailed spec will in practice be impossible.

Suppose a WebDAV service for media data access. Any WebDAV client knows 
the WebDAV protocol (== interface), e.g. the supported methods (GET, 
PUT, POST, DELETE, COPY, MOVE) and how to traverse directories. So it is 
sufficient to configure the client with the URL of my personal web 
storage. To start with let's assume, scopes are used to designate 
resource servers only. So the server's scope could be "webstorage".

     WWW-Authenticate OAuth realm='webstorage' scope="webstorage"

The client could just pass this parameter to the authz server and 
everything is fine.

On the next level, let's assume the (future) WebDAV standard with 
OAuth-support uses one permission per method type. So the full scope 
could be as follows:

     WWW-Authenticate OAuth realm='webstorage' scope="webstorage:GET 
webstorage:PUT webstorage:POST webstorage:DELETE webstorage:COPY 
webstorage:MOVE"

Passing this scope w/o any unmodified to the authz server is not an 
issue. But this implies the client asks for full access to the users 
media storage. Since our client is a gallery application, it requires 
the "GET" permission only. How does the client know which of the scope 
values to pick for the end-user authorization process? It must somehow 
select "webstorage:GET".

But how?

In my personal opinion, clients should be enabled to interpret, combine 
and even create scopes. And yes, this should go to the core of the spec.

regards,
Torsten.

v2.35.0 | Report a Bug | By Email | System Status