Re: [OAUTH-WG] third party applications

Jeff Craig <jeffcraig@google.com> Wed, 02 September 2020 14:33 UTC

Return-Path: <jeffcraig@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2963A0D99 for <oauth@ietfa.amsl.com>; Wed, 2 Sep 2020 07:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUQteRwGrrVI for <oauth@ietfa.amsl.com>; Wed, 2 Sep 2020 07:33:04 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 833143A0D8C for <oauth@ietf.org>; Wed, 2 Sep 2020 07:33:04 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id x10so3090447ybj.13 for <oauth@ietf.org>; Wed, 02 Sep 2020 07:33:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EXaP8qzfy3HEDWXIiLdQgUwUDOFvHj6WXJgR0UpETXg=; b=oVV7KkVeueanv3GJfIxNuRH8Pv1r/xBdEWuRZ0nGcfmnG6gBsw6fs70KFqH8GYF/qm N/7zHSPeuakZisHvinVhaqZp+odEtH+o6RK366RTmMFMxiLTfFH+tRQg8NtjdUCJ6Mb3 /J46qwEaBy4Ov2mwHHZLKtAH4y4/+MljlW92OmwPYpjdzgdEZbbyYT7WzaDO1yVB6IDo Vn1NCsvAfVXvix3gc9Nf/YPH44wakQXOFKQv4UDlRkQJoa3Tr+bX58XpkK9z6C1+Rman bYI2Xp70K1PMb1x7bPKEJ+7v7LzbtEpGtmrqJqL87HiSVODVJL1XSVa0zTGyubAoatCH kv5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EXaP8qzfy3HEDWXIiLdQgUwUDOFvHj6WXJgR0UpETXg=; b=i98QDM4YetPOenYB11rno9WRxl1Vki7+fSjFulUPGUPJOkjubhMmRBA/wDc9YWiXbv 9WpgvPiQrH8Qg6YOmeGhwCuSo8OvMF6bpYOUiq6Y0/gjtlNjQQDK2nO/2V4OCbsKOBso 917xzCQFAW6D0ArPPBAo9Lo+W7eZ2AnsVuBuNMfx/VgaM5lKGoUkaEQh5LPR/jibvJYK 9XvGTEWzWLyoA7HQh0s9cHoQrPfqNlHJp8s0Lyn+neUkzwv+tRcThueErpqJ0TlfSFhx ggSlkzCwaCysKq0cZkeoDciKDeWWvq/SZT73MSx0g4Qqch76KRcSdslPYcJincA0pdLP 1sIA==
X-Gm-Message-State: AOAM532ITTqQiUV0kL5K63lpV37dUpNu+6ZDBvGQy34fL7dsM582y6MH CU8g3eevCV4eVG4z3Q1AUsAIQHvOTQii7/ev2rqhCLA8QWU=
X-Google-Smtp-Source: ABdhPJxiE1C/j+E8quRgHqk1tKCl11UL93pd0aQjLpiAuA0VuTCmQ5UKiDk9ILU8MWCPvruE7VRCWuSww7rc+LCp+Wc=
X-Received: by 2002:a25:1642:: with SMTP id 63mr10735583ybw.224.1599057183360; Wed, 02 Sep 2020 07:33:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAEMK1uY0cSOyyU2t0N9RTOzmMeEpfMsb7K9WfQD=fQdCde9jTQ@mail.gmail.com> <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net> <CAGBSGjoKfR1DpQ47oDPi8xqt_Bq54ywpTvZkH9uJwHRZkDbf-A@mail.gmail.com> <CAEMK1ubU0tD37yz0mKuOOP5n5uQ5pjLdLgY1OJWHGNh-iGcScw@mail.gmail.com> <dddbfebf-c5d0-6386-3a1d-c38526fdfba3@free.fr> <CAEMK1ubKn73gfM34yswmuAHzmOneXF9aRQ7uRnJ3DnNz56nZLA@mail.gmail.com> <CAAP42hAsrPvE-bMLdYhkvX516wBKMwCjNJaOhcZ14LQPr+Eh7A@mail.gmail.com> <9C150616-AF6B-4FE2-81D8-1535BE52E961@lodderstedt.net>
In-Reply-To: <9C150616-AF6B-4FE2-81D8-1535BE52E961@lodderstedt.net>
From: Jeff Craig <jeffcraig@google.com>
Date: Wed, 2 Sep 2020 09:32:52 -0500
Message-ID: <CAKhDPzNKBbqN0o-g1hF5Ee8XmFrtKPAHgcajDtmeNu83KJ9eZQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: William Denniss <wdenniss=40google.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064474d05ae55837b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jEResC_RVBUNKJeSjhU_OXhFGAs>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 14:33:06 -0000

On Wed, Sep 2, 2020 at 8:53 AM Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

> > On 2. Sep 2020, at 05:58, William Denniss <wdenniss=
> 40google.com@dmarc.ietf.org> wrote:
> > On the subject, in first party cases the access may not be all that
> "limited", I wonder if it should read more genericly "an application to
> obtain access to an HTTP service"?
>
> I suggest to stick with “limited” since privilege restriction is always a
> good idea.
>

I'm inclined to agree, scopes are a key part of the OAuth model, and while
nothing precludes a "full account access" scope, I do think that the idea
of privilege restriction is worth infusing the document with.