Re: [OAUTH-WG] Registration: Scope Values
Justin Richer <jricher@mitre.org> Mon, 15 April 2013 14:35 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B16421F93DD for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8zCJCC6jQuM for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 07:35:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 166A421F93B4 for <oauth@ietf.org>; Mon, 15 Apr 2013 07:35:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 953CD1F02E1; Mon, 15 Apr 2013 10:35:20 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 7F9771F029F; Mon, 15 Apr 2013 10:35:20 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 15 Apr 2013 10:35:20 -0400
Message-ID: <516C101F.2090706@mitre.org>
Date: Mon, 15 Apr 2013 10:35:11 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Tim Bray <twbray@google.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org> <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com>
In-Reply-To: <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020003000107040906080706"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:35:23 -0000
What would you suggest for wording here, then? Keeping in mind that we cannot (and don't want to) prohibit expression-based scopes. -- Justin On 04/15/2013 10:33 AM, Tim Bray wrote: > No, I mean it’s not interoperable at the software-developer level. I > can’t register scopes at authorization time with any predictable > effect that I can write code to support, either client or server side, > without out-of-line non-interoperable knowledge about the behavior of > the server. > > I guess I’m just not used to OAuth’s culture of having no expectation > that things will be specified tightly enough that I can write code to > implement as specified. -T > > > On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org > <mailto:jricher@mitre.org>> wrote: > > Scopes aren't meant to be interoperable between services since > they're necessarily API-specific. The only interoperable bit is > that there's *some* place to put the values and that it's > expressed as a bag of space-separated strings. How those strings > get interpreted and enforced (which is really what's at stake > here) is up to the AS and PR (or a higher-level protocol like UMA). > > -- Justin > > > On 04/15/2013 10:13 AM, Tim Bray wrote: >> >> This, as written, has zero interoperability. I think this >> feature can really only be made useful in the case where scopes >> are fixed strings. >> >> -T >> >> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >> You are correct that the idea behind the "scope" parameter at >> registration is a constraint on authorization-time scopes >> that are made available. It's both a means for the client to >> request a set of valid scopes and for the server to provision >> (and echo back to the client) a set of valid scopes. >> >> I *really* don't want to try to define a matching language >> for scope expressions. For that to work, all servers would >> need to be able to process the regular expressions for all >> clients, even if the servers themselves only support >> simple-string scope values. Any regular expression syntax we >> pick here is guaranteed to be incompatible with something, >> and I think the complexity doesn't buy much. Also, I think >> you suddenly have a potential security issue if you have a >> bad regex in place on either end. >> >> As it stands today, the server can interpret the incoming >> registration scopes and enforce them however it wants to. The >> real trick comes not from assigning the values to a >> particular client but to enforcing them, and I think that's >> always going to be service-specific. We're just not as clear >> on that as we could be. >> >> After looking over everyone's comments so far, I'd like to >> propose the following text for that section: >> >> >> scope >> OPTIONAL. Space separated list of scope values (as described in >> OAuth 2.0Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when >> requesting access tokens. As scope values are service-specific, >> the Authorization Server MAY define its own matching rules when >> determining if a scope value used during an authorization request >> is valid according to the scope values assigned during >> registration. Possible matching rules include wildcard patterns, >> regular expressions, or exactly matching the string. If omitted, >> an Authorization Server MAY register a Client with a default >> set of scopes. >> >> >> Comments? Improvements? >> >> -- Justin >> >> >> On 04/14/2013 08:23 PM, Manger, James H wrote: >>> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow. >>> >>> So ideally registration should accept rules for matching scopes, as opposed to actual scope values. >>> >>> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*"). >>> >>> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match. >>> >>> -- >>> James Manger >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > >
- [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Donald F Coffin
- Re: [OAUTH-WG] Registration: Scope Values Manger, James H
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values prateek mishra
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values John Bradley
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Richer, Justin P.
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Anthony Nadalin
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Mike Jones
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer
- Re: [OAUTH-WG] Registration: Scope Values Phil Hunt
- Re: [OAUTH-WG] Registration: Scope Values Tim Bray
- Re: [OAUTH-WG] Registration: Scope Values Justin Richer