IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 20 April 2010 05:28 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3F273A6A3B for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 22:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AWL=0.253, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOdV7uKHn3zJ for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 22:28:54 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.32]) by core3.amsl.com (Postfix) with ESMTP id 6776A3A6A3C for <oauth@ietf.org>; Mon, 19 Apr 2010 22:27:36 -0700 (PDT)
Received: from p4fff22c1.dip.t-dialin.net ([79.255.34.193] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O45yR-0003uB-Il; Tue, 20 Apr 2010 07:26:15 +0200
Message-ID: <4BCD3AF6.3050505@lodderstedt.net>
Date: Tue, 20 Apr 2010 07:26:14 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Dick Hardt <dick.hardt@gmail.com>
References: <C7F1D1FC.32809%eran@hueniverse.com> <620F3756-E159-4EF3-99DC-6D74CC869739@gmail.com>
In-Reply-To: <620F3756-E159-4EF3-99DC-6D74CC869739@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 05:28:55 -0000

Am 20.04.2010 05:06, schrieb Dick Hardt:
> On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote:
>    
>> 2. Server requires authentication
>>
>>     HTTP/1.1 401 Unauthorized
>>     WWW-Authenticate: Token realm='Example', scope='x2'
>>      
> Can more than one scope be returned? Is it a comma delimited list?
>
> I wonder how much value this will provide. (I like the idea, but teasing out the implications.)
>
> Imagine we have a resource that can have READ or  WRITE access granted.
>
> An unauthenticated GET on the resource could return the scope URI needed for READ, an unauthenticated PUT on the resource could return the scope URI for WRITE. What if you want to both do READs and WRITEs? There may be another scope that is READ/WRITE. READ and WRITE are pretty common capabilities, but one can imagine much more complex capabilities at resources.
>
> The exact semantics to the resource are likely going to very contextual.
>
> Given that, returning a single scope value if that is all that makes sense to the resource will likely address many use cases.
>    
I also think, the WWW-Authenticate header should only contain the scope 
required for the particular request. The get the whole picture of 
scope/request relations, the resource server could offer some kind of 
discovery.

regards,
Torsten.
> (+1 to Eran's proposal given all the other factors)
>
> -- Dick
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email