IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Justin Richer <jricher@mitre.org> Fri, 12 April 2013 19:48 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14C5121F8D40 for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 12:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yV3bWYNtXvLr for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 12:48:37 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5385421F8C3C for <oauth@ietf.org>; Fri, 12 Apr 2013 12:48:37 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E3B0B1F0627; Fri, 12 Apr 2013 15:48:36 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C9DA61F061E; Fri, 12 Apr 2013 15:48:36 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 12 Apr 2013 15:48:36 -0400
Message-ID: <5168650F.1070709@mitre.org>
Date: Fri, 12 Apr 2013 15:48:31 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Donald F Coffin <donald.coffin@reminetworks.com>
References: <51685177.8060603@mitre.org> <00c901ce37b5$443c3dd0$ccb4b970$@reminetworks.com>
In-Reply-To: <00c901ce37b5$443c3dd0$ccb4b970$@reminetworks.com>
Content-Type: multipart/alternative; boundary="------------050908030801070105030207"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 19:48:40 -0000

The question refers to the Dynamic Registration draft specifically, 
since that's what's still editable. RFC6749 treats scopes as bags of 
strings that are specific to the API that they're protecting, which lets 
them be either static strings or expressions (or, really, whatever you 
like them to be). The problem is that the Dynamic Registration draft 
isn't defining just the conveyance of the scope string during the 
authorization process, it's got to have language on what a scope is 
*for* in order for it to make sense in registration. In other words, 
what does it mean to be "registered" with a scope? What does it mean to 
ask for a scope at registration time? What does it mean for a server to 
"grant" a scope at registration time?

I had thought that the current language (which is mostly lifted from 
RFC6749) was sufficient, but there's been question as to its intent, so 
I want to make sure that it's very clear that Dynamic Registration is as 
hands-off about scope values as RFC6749 is.

  -- Justin

On 04/12/2013 03:38 PM, Donald F Coffin wrote:
>
> Justin,
>
> While I understand the need to clarify the usage of the scope 
> metadata, I'm not clear on whether your question refers to the Dynamic 
> Registration draft or to RFC 6749?
>
> The current language of the Dynamic Registration draft to describe the 
> scope metadata usage is the same language used to describe the scope 
> parameter that appears in Section 3.3 of RFC 6749.  If the Dynamic 
> Registration draft uses language different than what is contained in 
> the scope parameter definition of RFC 6749 additional confusion about 
> the usage of the scope parameter may arise.  Perhaps the best way to 
> address the issue within the Dynamic Registration draft is to provide 
> an explanation.  The examples you provided in your posting could 
> easily be included in the Dynamic Registration draft and would achieve 
> the desired effect of demonstrating how the OAuth 2.0 scope parameter 
> might be used.
>
> Best regards,
>
> Don
>
> Donald F. Coffin
>
> Founder/CTO
>
> REMI Networks
>
> 22751 El Prado Suite 6216
>
> Rancho Santa Margarita, CA  92688-3836
>
> Phone: (949) 636-8571
>
> Email: donald.coffin@reminetworks.com 
> <mailto:donald.coffin@reminetworks.com>
>
> *From:*Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Friday, April 12, 2013 11:25 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Registration: Scope Values
>
> Currently, the Dynamic Registration draft defines a "scope" value as 
> part of the client metadata table, with the following definition:
>
>     scope
>        OPTIONAL.  Space separated list of scope values (as described in
>        OAuth 2.0Section 3.3 [RFC6749]  <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client is declaring that
>        it may use when requesting access tokens.  If omitted, an
>        Authorization Server MAY register a Client with a default set of
>        scopes.
>
>
> The idea here is that a client can request a particular set of 
> available scopes from the AS (analogous as to what's available from 
> many/most manual registration pages today), and the AS can communicate 
> back to the client what scopes it's allowed to ask for at authz time. 
> In a strictly-enforced implementation, the client wouldn't be able to 
> ask for any scopes that it wasn't registered for in the first place.
>
> However, it's been brought up in some side conversations that the 
> language as found in the DynReg spec might get in the way of people 
> using the "scope" field as an expression language. That is to say, you 
> could have a scope like "send_email_to:myaddress@email.com" 
> <mailto:send_email_to:myaddress@email.com> where the email address 
> portion is variable, or something like "read:*" which stands in for 
> any scopes starting with "read:" like "read:profile", "read:lists", 
> etc. Precluding this behavior wasn't my intent, and a liberal 
> interpretation of the text as-written would (I believe) lead to this 
> being perfectly OK. Namely:
>
> Client requests and is granted a service specific scope value like 
> "send_email_to" in registration. At runtime, the client knows how to 
> turn "send_email_to" into "send_email_to:myaddress@email.com" 
> <mailto:send_email_to:myaddress@email.com>, and the AS knows that a 
> client that's been granted "send_email_to" can ask for 
> "send_email_to:myaddress@email.com" 
> <mailto:send_email_to:myaddress@email.com>. The fact that 
> "send_email_to" expands into an expression language is something 
> specific to the service, and I personally think it's up to the service 
> to document "register for this" and "ask for this at authn time" for 
> clients, since this is all part of the API more than it is part of the 
> underlying OAuth protocol. OAuth merely provides a handy place to 
> communicate these values in an interoperable way, the values 
> themselves aren't intended to be interoperable.
>
>
> But my question to the group is simple: how can we rework the "scope" 
> metadata claim such that it works in both the simple "bag of discreet 
> strings" approach to scope as well as the "list of expressions" 
> approach? Does the language need to change at all?
>
>  -- Justin
>

v2.23.0 | Report a Bug | By Email