IETF Logo Mail Archive

Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all

David Primmer <primmer@google.com> Wed, 01 December 2010 21:17 UTC

Return-Path: <primmer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 890CF3A6765 for <oauth@core3.amsl.com>; Wed, 1 Dec 2010 13:17:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.977
X-Spam-Level:
X-Spam-Status: No, score=-109.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nanMX65Ew3Fu for <oauth@core3.amsl.com>; Wed, 1 Dec 2010 13:17:06 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id E114C3A6358 for <oauth@ietf.org>; Wed, 1 Dec 2010 13:17:05 -0800 (PST)
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com [172.25.149.6]) by smtp-out.google.com with ESMTP id oB1LIJjg024256 for <oauth@ietf.org>; Wed, 1 Dec 2010 13:18:19 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1291238299; bh=5VTq+f7iIKrOa+9tmDULgxtI2yc=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=gcB0oKPuvgvYkBimhd+OcvqHCCHpWg2StsXLUcl0tcBPqEQnIapAFxQNEqF5cRsJC z2xI5dMEwC/xhWllCZkog==
Received: from iwn35 (iwn35.prod.google.com [10.241.68.99]) by hpaq6.eem.corp.google.com with ESMTP id oB1LIACl000765 for <oauth@ietf.org>; Wed, 1 Dec 2010 13:18:18 -0800
Received: by iwn35 with SMTP id 35so8525iwn.35 for <oauth@ietf.org>; Wed, 01 Dec 2010 13:18:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=doaKMfJmGypPiXXkgXSDqevHGwSgjfNWSPMk1i1ZXxI=; b=GcGNouw7zFQNfyw6ru+LLBg5ViUb5LwEiVjmiP63xXavQzTk+EOW5is2DOSPAuqs9z 84TCr37JQ6aJSg8I9mxA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=o3geiM2CxaVhjo6a2U/K5ceBDtS7zSEVdYh3Icuoaplv3GOw+5Lkr3fd4ZpBb+FXZR z3HYhCdx4pkpDluNyqcw==
Received: by 10.231.14.130 with SMTP id g2mr9392503iba.192.1291238295569; Wed, 01 Dec 2010 13:18:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.26.157 with HTTP; Wed, 1 Dec 2010 13:17:55 -0800 (PST)
In-Reply-To: <20101126094122.53764oqlukyiow4y@ugs.tarent.de>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de>
From: David Primmer <primmer@google.com>
Date: Wed, 01 Dec 2010 13:17:55 -0800
Message-ID: <AANLkTimuYhfNUNN0DDV9-Pa-_SP-c=Fb+jgkJd7aV=Pq@mail.gmail.com>
To: Martin Ley <m.ley@tarent.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 21:17:07 -0000

As Eran pointed out, the way you've formatted your scope request,
you've only specified one scope and I'd guess to keep things simple
and consistent can either be approved or denied. I don't have a spec
reference about what happens when the user doesn't approve but I
assume the response is sent to the callback url.

Now, what I heard in your email was a question about best-practices.
The developer requests a number of scopes and the approval page on the
authorization server allows the user to select which of those they
approve and reject the rest. I don't think this is the the way that
this sort of thing has been implemented for the most part. It's an
all-or-none deal on most of the larger providers these days. Microsoft
initially had a multiple choice UI for OAuth1 but I think they've
abandoned that.

So the real question is: how do you make sure the developer sends
exactly what the user is prepared to approve to the AS, instead of
allowing downscoping during the approval step. The common way this
works out is either the developer knows they only need certain scopes
for their application and they're relatively static or it's a
selective disclosure system like you've described and the user needs
to pick what they're going to approve on the developer's site before
any browser redirects are done and those pre-filtered choices are sent
to the AS.

hope this helps.

davep

On Fri, Nov 26, 2010 at 12:41 AM, Martin Ley <m.ley@tarent.de> wrote:
> Dear list,
>
> perhaps I've overread it in the specification or it was not explicit about
> my required scenario:
>
>
> The Web-Server-Flow is used. An application requests data about the user.
> The scopes are dateofbirth,isover18,address. Now the user is forwarded to
> the authorization server to identify and authenticate and give permissions
> to the applications. The user decides to give only permission for the
> isover18 scope but not dateofbirth and address.
>
> How would the application be notified about the granted scopes and the not
> granted scopes?
>
> Best regards
>
> Martin
>
>
> --
> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
> Geschäftsführer: Boris Esser, Elmar Geese
> HRB AG Bonn 5168 - USt-ID (VAT): DE122264941
>
> Heilsbachstraße 24, 53123 Bonn,   Telefon: +49 228 52675-0
> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
> Internet: http://www.tarent.de/   Telefax: +49 228 52675-25
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email