IETF Logo Mail Archive

Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 20 January 2012 22:58 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8299921F8653 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 14:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q+y3VyFn3IEm for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 14:58:32 -0800 (PST)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 3986321F864D for <oauth@ietf.org>; Fri, 20 Jan 2012 14:58:26 -0800 (PST)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q0KMwP29003252 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 20 Jan 2012 16:58:25 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q0KMwODw001134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 20 Jan 2012 16:58:25 -0600
Received: from [135.244.1.84] (faynberg.lra.lucent.com [135.244.1.84]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q0KMwNEH020650; Fri, 20 Jan 2012 16:58:24 -0600 (CST)
Message-ID: <4F19F18F.6030906@alcatel-lucent.com>
Date: Fri, 20 Jan 2012 17:58:23 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAG+j4TrQGwiDj01huDgfEy+02b4=tTDYifiXcvhDHrw3i32-6Q@mail.gmail.com> <1326156786.88572.YahooMailNeo@web31812.mail.mud.yahoo.com> <CAG+j4TrUGtua8umh+GqJM_i6OeZrwHy7NwoGK1dTYGpHBuuV2Q@mail.gmail.com> <1326160314.71861.YahooMailNeo@web31806.mail.mud.yahoo.com> <CAG+j4TrkXE_N6T35LaApswKJMRzNmBYbB_CnqUi37s6sK5nQAw@mail.gmail.com> <1326162276.40306.YahooMailNeo@web31811.mail.mud.yahoo.com> <CAG+j4TqhGi_0Z=C7gPbxAx6L7DV-NeLCewYyc4T-SbfdfWR=GA@mail.gmail.com> <1326215997.44445.YahooMailNeo@web31816.mail.mud.yahoo.com> <6.2.5.6.2.20120110104038.099f1ba8@resistor.net> <E300DA82-5DB9-4768-AF21-D30B15ECB4D0@oracle.com> <90C41DD21FB7C64BB94121FBBC2E723453A72D0F24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1326240141.98332.YahooMailNeo@web31808.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723453A72D0F60@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1326268674.20557.YahooMailNeo@web31807.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723453AAB964E7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AAB964E7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: multipart/alternative; boundary="------------080408010004030600070100"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 22:58:33 -0000

(Strictly editorial.)

Just to make the first sentence easiery to parse, I suggest to clarify 
the scope (no pan intended) of "MUST."  I read it the server MUST either 
process the request OR fail it.  If so, maybe just inserting the word 
either would do the job.  I would also change punctuation to delineate 
the "using" and "indicating" clauses. Probably putting both clauses in 
parentheses will make it easier than adding an extra comma.  Another 
thing that I found stands in the way of is whether it is really "invalid 
scope [value]."  Maybe it is better to indicate that no scope value has 
been supplied?

As a developer I see the benefit of requiring a default value, 
incidentally, but since there is an option, I think it might be better 
to describe the error in a straight-forward way.

The suggested text:

           If the client omits the scope parameter when requesting 
authorization, the authorization

           server MUST either process the request (using a pre-defined 
default scope value) or fail the request

           (indicating that the scope value is missing). The 
authorization server SHOULD document its scope

           requirements and default value (if defined).



Igor

On 1/20/2012 3:32 PM, Eran Hammer wrote:
>
> New text added to Access Token Scope section:
>
>           If the client omits the scope parameter when requesting 
> authorization, the authorization
>
>           server MUST process the request using a pre-defined default 
> value, or fail the request
>
>           indicating an invalid scope. The authorization server SHOULD 
> document its scope
>
>           requirements and default value (if defined).
>
> EHL
>
> *From:*William Mills [mailto:wmills@yahoo-inc.com]
> *Sent:* Tuesday, January 10, 2012 11:58 PM
> *To:* Eran Hammer; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity 
> in Specification
>
> "Null string", "empty string", or "server defined default value" all 
> work.  Default scope doesn't do it for me.
>
> ------------------------------------------------------------------------
>
> *From:*Eran Hammer <eran@hueniverse.com <mailto:eran@hueniverse.com>>
> *To:* William Mills <wmills@yahoo-inc.com 
> <mailto:wmills@yahoo-inc.com>>; "oauth@ietf.org 
> <mailto:oauth@ietf.org>" <oauth@ietf.org <mailto:oauth@ietf.org>>
> *Sent:* Tuesday, January 10, 2012 5:24 PM
> *Subject:* RE: [OAUTH-WG] Seeking Clarification: Potential Ambiguity 
> in Specification
>
> I don’t like ‘empty scope’ as it is undefined. I prefer ‘default scope’.
>
> EHL
>
> *From:*William Mills [mailto:wmills@yahoo-inc.com] 
> <mailto:[mailto:wmills@yahoo-inc.com]>
> *Sent:* Tuesday, January 10, 2012 4:02 PM
> *To:* Eran Hammer; oauth@ietf.org <mailto:oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity 
> in Specification
>
> On your #1, I don't agree that an empty scope is useless.  There are 
> comparable implementations that use an empty scope to be a wildcard 
> scope.  I'd say,
>
> "The client can MAY include or omit the scope parameter. If omitted, 
> the server must process the request using an empty scope as the 
> default.  The server then processes the request either issuing a grant 
> with it's default scope as defined by the server or failing the 
> request indicating an invalid scope requested."
>
> That language isn't quite right, but I think it's clear.
>
> ------------------------------------------------------------------------
>
> *From:*Eran Hammer <eran@hueniverse.com <mailto:eran@hueniverse.com>>
> *To:* "oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org 
> <mailto:oauth@ietf.org>>
> *Sent:* Tuesday, January 10, 2012 1:15 PM
> *Subject:* Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity 
> in Specification
>
>
> I don't think the issue here is about the scope value, but who does 
> the OPTIONAL designation applies to. IOW, is it optional for the 
> server to support/require it, or is it optional for the client to 
> include or omit it.
>
> The intention was to make it optional for the authorization server to 
> make all decisions about the parameter, including making it required. 
> But the text is confusing since the text is aimed directly at the 
> client when making the request.
>
> We need to clarify this and the options are:
>
> 1. The client can decide if they want to include or omit the scope 
> parameter. If omitted, the server must process the request using some 
> documented default scope. This default scope can be an empty scope 
> rendering the token useless for anything other than verifying user 
> authentication.
>
> 2. The server can declare scope to be a required parameter in which 
> case the client must include it or the request will fail. In this 
> case, we should make the text clearer that clients to find out if the 
> particular server requires it.
>
> #1 is better for interoperability, #2 is more in the spirit of the 
> parameter discussions so far.
>
> EHL
>
> > -----Original Message-----
> > From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> 
> [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf
> > Of Phil Hunt
> > Sent: Tuesday, January 10, 2012 11:33 AM
> > To: SM
> > Cc: oauth@ietf.org <mailto:oauth@ietf.org>
> > Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in
> > Specification
> >
> > The underlying issue is that there was a decision not to in any way
> > standardize values for scope.
> >
> > I agreed this was reasonable since the underlying resource APIs are 
> likely to
> > be very specific requiring some degree of prior knowledge by the 
> client app
> > developer. Thus the resource server OAuth infrastructure is free to 
> decide
> > what are and are not acceptable values including missing or null 
> values for
> > scope.
> >
> > I think the specification is acceptable as it is.
> >
> > I note that other specifications that layer on top of OAuth2 such as 
> OpenID
> > Connect may choose to strictly define acceptable values for scope. 
> This type
> > of layering works well in my opinion.
> >
> > Phil
> >
> > @independentid
> > www.independentid.com <http://www.independentid.com>
> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> >
> >
> >
> >
> >
> > On 2012-01-10, at 10:56 AM, SM wrote:
> >
> > > At 09:19 10-01-2012, William Mills wrote:
> > >> That does clear it up!  If the implementation returns a proper 
> error when
> > the scope is omitted then it will be in conformance.  Sending an 
> error result
> > for the empty scope is valid.
> > >
> > > Yes.
> > >
> > > It is not possible to get a clear view of the specs if the 
> discussion about
> > "ambiguity" relies on the meaning of the word "OPTIONAL" only.  If 
> there is a
> > problem, then clarifying text could be used to fix it instead of 
> changing the
> > requirements.
> > >
> > > Regards,
> > > -sm
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email