IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

Brian Eaton <beaton@google.com> Thu, 22 April 2010 17:49 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06E0728C20E for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 10:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.77
X-Spam-Level:
X-Spam-Status: No, score=-100.77 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZX8XheErZ0Lj for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 10:49:26 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 9BD8E3A683F for <oauth@ietf.org>; Thu, 22 Apr 2010 10:36:21 -0700 (PDT)
Received: from kpbe17.cbf.corp.google.com (kpbe17.cbf.corp.google.com [172.25.105.81]) by smtp-out.google.com with ESMTP id o3MHa8hf001753 for <oauth@ietf.org>; Thu, 22 Apr 2010 19:36:09 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271957769; bh=cGfQ7njc9pYvImMo0m0w5AKMF6Q=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=aY43w3zcu6WEc2LbWnXDwyLEApmJB2DBOl7M8xZ2w5UWj8J62WNkbDOLczM48k3Ik N+ohlr1k3yJUp1C6DQBAg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=lW4FRxXQCo7ncp+nyASy4uyaw2K0VK0Wayua1pWPo46gWev+hjqa7yL9mBZHzQK4q tR/iogKvn6r1f39XtlCfw==
Received: from pvf33 (pvf33.prod.google.com [10.241.210.97]) by kpbe17.cbf.corp.google.com with ESMTP id o3MHa7sq004311 for <oauth@ietf.org>; Thu, 22 Apr 2010 10:36:07 -0700
Received: by pvf33 with SMTP id 33so2024870pvf.2 for <oauth@ietf.org>; Thu, 22 Apr 2010 10:36:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.202.10 with HTTP; Thu, 22 Apr 2010 10:36:06 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 22 Apr 2010 10:36:06 -0700
Received: by 10.142.201.20 with SMTP id y20mr4884638wff.63.1271957767021; Thu, 22 Apr 2010 10:36:07 -0700 (PDT)
Message-ID: <g2mdaf5b9571004221036j5d6837f6z4d7959d69a3cbb2b@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 17:49:27 -0000

On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>> The scope doesn't have to match the base URI of the resource which the
>> client tried and got the 401 from?
>
> That's a security issue we need to address (when to trust the resource server and reuse an existing token). We need to figure it out either way.

Are you sure we need to figure this out?  Is it even possible to figure it out?

I'm very skeptical of attempts to automatically determine which tokens
go with which resources.  There are no examples in the wild of people
doing this.  There have been a few proposals for techniques, all of
which have turned out to either be really complicated, or to have
fundamental security problems.  Or both.

I'd rather we didn't put stuff in the OAuth 2 spec that we aren't 100%
sure is going to work.  Ideally there should be lots of examples in
production.

I do like the idea of defining the scope parameter to be a delimited
list of otherwise opaque strings.  Several service providers have
already adopted this approach, and it seems to work reasonably well.
This would even work for the complex scope definitions that Eve and
Chase have brought up.

Defining scope to be a list of strings would also enable the "least
privilege" principal that Torsten mentioned, because once someone has
a token, there would be a well-defined way of reducing the scopes in
the token.  But it's probably too soon to actually add a "privilege
drop" call to the spec - as far as I know, no one has actually built
this yet.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email