Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax

"Richer, Justin P." <> Mon, 04 February 2013 16:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D93021F885B for <>; Mon, 4 Feb 2013 08:23:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.556
X-Spam-Status: No, score=-6.556 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H4K0HqQHf7t4 for <>; Mon, 4 Feb 2013 08:23:33 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 81A5221F86EB for <>; Mon, 4 Feb 2013 08:23:33 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id E867F5310F72; Mon, 4 Feb 2013 11:23:32 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG ( []) by (Postfix) with ESMTP id D2EB45310F6A; Mon, 4 Feb 2013 11:23:32 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS03.MITRE.ORG ([]) with mapi id 14.02.0318.004; Mon, 4 Feb 2013 11:23:32 -0500
From: "Richer, Justin P." <>
To: Todd W Lainhart <>
Thread-Topic: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax
Thread-Index: AQHOAuls0s8jUm5EhEujJWJMOkWRiZhqNe+A
Date: Mon, 04 Feb 2013 16:23:31 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E06885FEC@IMCMBX01.MITRE.ORG>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E06885FECIMCMBX01MITREOR_"
MIME-Version: 1.0
Cc: IETF oauth WG <>
Subject: Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2013 16:23:34 -0000

I got the same reading of the list as you, and I could go either way. I believe we absolutely must pick one or the other though.

If anyone has thoughts on the matter one way or the other, please speak up. The options are:

1) scopes are returned as a JSON array (current introspection text)
2) scopes are returned as a space-separated string (rfc6749 format for the "scope" parameter)

 -- Justin

On Feb 4, 2013, at 10:06 AM, Todd W Lainhart <<>>

Has there been any thinking or movement as to whether the scopes syntax stands as is, or aligns with 6749?  Of the folks who chose to respond, it seemed like the position was split.

From:        Justin Richer <<>>
To:        Todd W Lainhart/Lexington/IBM@IBMUS,
Cc:        IETF oauth WG <<>>
Date:        01/30/2013 05:34 PM
Subject:        Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax

I should add that this is also a bit of an artifact of our implementation. Internally, we parse and store scopes as collections of discrete strings and process them that way. So serialization of that value naturally fell to a JSON list.

-- Justin

On 01/30/2013 05:29 PM, Justin Richer wrote:
It's not meant to follow the same syntax. Instead, it's making use of the JSON object structure to avoid additional parsing of the values on the client side.

We could fairly easily define it as the same space-delimited string if enough people want to keep the scope format consistent.

-- Justin

On 01/30/2013 05:27 PM, Todd W Lainhart wrote:
That the scope syntax in draft-richer-oauth-introspection-01 is different than RFC 6749 Section 3.3, as in:

  "scope": ["read", "write", "dolphin"],


 scope = scope-token *( SP scope-token )
    scope-token = 1*( %x21 / %x23-5B / %x5D-7E )

Should introspection-01 follow the 6749 syntax for scopes?

OAuth mailing list<>

OAuth mailing list<>