IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Tim Bray <twbray@google.com> Thu, 18 April 2013 17:57 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EAAA21F90EB for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2013 10:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Sj2kgLoa3yF for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2013 10:57:20 -0700 (PDT)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id E258821F8FE8 for <oauth@ietf.org>; Thu, 18 Apr 2013 10:57:17 -0700 (PDT)
Received: by mail-ie0-f174.google.com with SMTP id 10so3714959ied.33 for <oauth@ietf.org>; Thu, 18 Apr 2013 10:57:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=kkA6n0vlY4+2AsOPX6fZLRFsmnP9wOXS4fXoqd8YlS8=; b=eoQabC7NoMylOO5adPfFg80fLEvt6tJL0OKszpmf8lzt3y+2eUv6VMBdUA2GdzERRV 6F7jx5+FOzlOaQaNePY3ULLRWidjU/ZPFcwakw+4Kj9hfxIH5AmFwmXUGcqU+aJeyZb0 bLcxcJ3aHE1LuhvjYQdI5ECh4Accrbf8fFJl7El3reiCNx1IxU9eT+2Q3fUtsxPKD2LB LnJ+LvKJBRsAxH7cTgOUreged3ntJyYEJEnhNakjnEpPrRxdbQ+4pjfE/mW0gT9oLNGE UUDp8O5vDJBfvGKYXVG5sKH1G+UgCNA0DRzhS3EXnlylSNpvh9Ny59eXXdKqxMXxXOta 4Elw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=kkA6n0vlY4+2AsOPX6fZLRFsmnP9wOXS4fXoqd8YlS8=; b=IjkDTV9Sy38qAVhkKAfY7Ghx+/4N5e4olADTFItMgfPaIOYeutYieBE2348e6y7h9s iSpzzs3TpKQQ+s8jwtJOF2TQ6FDd9hVzLvl7j3vi2mMl+m8N1JjzJeFTgukfZif+AEXI d5J/jmoSuscQP4tmmU8oOFHg8uFsPLF7gNETDWJILGVVy/Fi5U91TmHl9OY4e3DGE96A 0kMMqrwXNtyljK+uXOFCzmbsLX4H2B05HPoKznKvoW8EdH68dN9dRMrrv/NK1TZoS3nc T4xpX/Yi3E/RmfIr0EF97b6WnaRRQ/KOXtNveEqvK0+REsNFnri2ZkXL3SxkemdC+c0i q0xA==
X-Received: by 10.43.90.137 with SMTP id bi9mr6271716icc.51.1366307837370; Thu, 18 Apr 2013 10:57:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.31.35 with HTTP; Thu, 18 Apr 2013 10:56:46 -0700 (PDT)
In-Reply-To: <5170319A.5080903@mitre.org>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C101F.2090706@mitre.org> <CA+ZpN27KNr0TLsAjt29PCQXqfFYkzP7Fr7y_2wibHfVu3R=UMA@mail.gmail.com> <516C1714.8070503@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com> <516C3152.9070603@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641FAB@TK5EX14MBXC283.redmond.corp.microsoft.com> <516C54F2.8040708@mitre.org> <4E1F6AAD24975D4BA5B16804296739436766BCC4@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+ZpN248faS0Vfa=yCft-RpGxHjs9jFv+VPP2Rw6AWzxhH617A@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436766C964@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+ZpN24k3eeMJD-gypbL3p2D3O-O-4itueB2Wz4xrbeROXq1Cg@mail.gmail.com> <d857b70d64e349a2ac0ff52a6aaf5a19@BY2PR03MB041.namprd03.prod.outlook.com> <DE8865A9-4656-47B2-8315-FDC1585CEDAB@mitre.org> <4E1F6AAD24975D4BA5B16804296739436766D8B9@TK5EX14MBXC284.redmond.corp.microsoft.com> <5170319A.5080903@mitre.org>
From: Tim Bray <twbray@google.com>
Date: Thu, 18 Apr 2013 10:56:46 -0700
Message-ID: <CA+ZpN243n-krLo6MGxc4p4c8BZeNCL00wVLEywOt-+m-OY+8HA@mail.gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="bcaec51867784d0f0204daa655b2"
X-Gm-Message-State: ALoCoQmDQ0kgjq/z/eDFigm+EXWl6k05S6KjZiWlVAgPILaJDqDtfE7NYaGOfF+TVviPaZXc2tD5MLd2aiYhrerw++o1Bzn84nKpRSFWjbfTXX5EfauL40gP8HNlB4cF+iKFQS31iO5OckKA3/2F0gohtt5uYWJQYDu7yNxOCNgJYwkB274PC4ce4IGtV06v1qumr/z4Ma0+
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 17:57:35 -0000

On Thu, Apr 18, 2013 at 10:47 AM, Justin Richer <jricher@mitre.org> wrote:


> It's very useful for a generic *library* that handles the authorization
> layer for an application to have a slot for registering scopes and finding
> out what scopes the app's been registered for.
>

I don’t see how it’s useful in the slightest if there’s no defined semantic
for what “registration” actually means, i.e. what result is to be expected
when sending or receiving a list of scopes.   -T


>
>
>
> On 04/18/2013 01:04 PM, Mike Jones wrote:
>
>  Saying anything normative about “enforcing restrictions” is going beyond
> RFC 6749 semantics.  Indeed, you’d said that “I agree that we shouldn't
> try to "solve" scope in registration.”, but talking about restrictions is
> going down the slippery “solving it” path.****
>
> ** **
>
> At most we can say that the two parties are making declarations to one
> another about scopes that they may choose to use, but we can’t assume that
> this is an exclusive list and that other scope values such as “
> urn:example:channel=HBO&urn:example:rating=G,PG-13” might not be used,
> even if the client registers saying that it intends to use the “OATC” scope
> value.  We could maybe even say that some services may use a static set of
> scopes and might choose to limit the scopes that a client may use to those
> that it declared to the server or to those that the server returned to the
> client.  That’s a HINT that some services might do this.  But we can’t say
> anything normative about such possible behaviors, because it goes beyond
> RFC 6749.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Richer, Justin P. [mailto:jricher@mitre.org <jricher@mitre.org>]
> *Sent:* Thursday, April 18, 2013 9:26 AM
> *To:* Anthony Nadalin
> *Cc:* Tim Bray; Mike Jones; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
> ** **
>
> This doesn't actually break the semantics because the client MUST accept
> what the server tells it over anything that it asks for in the first place.
> The server has the final say. So in this case, if your client asks for
> nothing, the server says "A B C", the client now knows it can ask for "A B
> C" scopes. ****
>
> ** **
>
> I'm still in favor of not putting the restricting language in the scope
> definition at all, instead have it say something like:****
>
> ** **
>
>  “Space-separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> Client can use when requesting access tokens from the Authorization Server.
> As scope values are service specific, the means of the Authorization Server
> enforcing this restriction are outside the scope of this specification.”**
> **
>
> ** **
>
> Couple this with the overall paragraph that says that the client is
> requesting values that the server is potentially overriding with its
> declarations, and I think that addresses everything without getting into
> confusing language that doesn't add to interoperability. ****
>
> ** **
>
>  -- Justin****
>
> ** **
>
> On Apr 18, 2013, at 12:13 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:****
>
>
>
> ****
>
> If I don’t specify a scope, then the server can allocate a default (or
> default set), thus that breaks the semantics you describe****
>
>  ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth <oauth>-bounces@ietf.org] *On
> Behalf Of *Tim Bray
> *Sent:* Thursday, April 18, 2013 9:04 AM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> I’m unconvinced, Mike.  Obviously you’re right about the looseness of
> OAuth2 scope specification, but this is a very specific semantic of what
> happens when you register, and I don’t think we’re bound by history here.
> If we can’t safely say anything about what the list of scopes means, then
> I'm with you let's take them out.  But the most obvious intended semantic
> is (from the client) “I promise to ask only for these” and from the server
> “These are the only ones I’ll give you tokens for.”  Or does someone have
> use-cases for an alternative semantic?****
>
>  ****
>
> To make this concrete, I propose the following:****
>
> “Space-separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring to the server that it will restrict itself to when
> requesting access tokens, and that the server is declaring to the client
> that it is registered to use when requesting access tokens.  Clients
> SHOULD assume that servers will refuse to grant access tokens for scopes
> not in the list provided by the server.”****
>
>  ****
>
>  ****
>
> On Thu, Apr 18, 2013 at 8:55 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
>  I don’t think it’s possible to define what it means in an interoperable
> way because OAuth didn’t specify scopes in an interoperable way.  No, I
> don’t like that either, but I think that’s where things are.  That’s why I
> was advocating deleting this registration feature entirely.****
>
>  ****
>
> But understanding it might be useful in some contexts, I’m OK keeping it,
> provided we be clear that the semantics of “registered to use” are
> service-specific.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* Tim Bray [mailto:twbray@google.com]
> *Sent:* Thursday, April 18, 2013 8:36 AM
> *To:* Mike Jones
> *Cc:* Justin Richer; oauth@ietf.org****
>
>
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> On the server-to-client side, what does “registered to use” mean?  Does it
> mean that the client should assume that any scopes not on the list WILL not
> be granted, MAY not be granted.... or what?  Is this already covered
> elsewhere? -T****
>
>  ****
>
> On Thu, Apr 18, 2013 at 8:28 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
> Thanks, Justin.  I agree with the need for the generic two-sided
> language.  I’d still keep this language for scope, because we want to
> capture the “declaring” aspect in this case:****
>
>  ****
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring to the server that it may use when requesting access
> tokens and that the server is declaring to the client that it is registered
> to use when requesting access tokens.”.****
>
>  ****
>
> You should probably also reinforce that scope values are service-specific
> and may not consist only of a static set of string values, and that
> therefore, in some cases, an exhaustive list of registered scope values is
> not possible.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Monday, April 15, 2013 12:29 PM****
>
>
> *To:* Mike Jones
> *Cc:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> I think that because the "declaration" issue affects all parameters in the
> list, not just scope, we should adopt this in a higher level paragraph and
> leave it out of the individual parameter descriptions. Thus, something like
> this inserted as the second paragraph in section 2:****
>
> The client metadata values serve two parallel purposes in the overall
> OAuth Dynamic Registration protocol:
>
>  - the Client requesting its desired values for each parameter to the
> Authorization Server in a [register] or [update] request,
>  - the Authorization Server informing the Client of the current values of
> each parameter that the Client has been registered to use through a [client
> information response].
>
> An Authorization Server MAY override any value that a Client requests
> during the registration process (including any omitted values) and replace
> the requested value with a default. The normative indications in the
> following list apply to the Client's declaration of its desired values.
>
> The Authorization Server SHOULD provide documentation for any fields that
> it requires to be filled in by the client or to have particular values or
> formats. Extensions and profiles...****
>
>
> And then remove the sidedness-language from the scope parameter and any
> other parameters where it might have crept in inadvertently.
>
>  -- Justin****
>
> On 04/15/2013 01:29 PM, Mike Jones wrote:****
>
>  We could fix the one-sided language by changing****
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring that it may use when requesting access tokens.”****
>
> to****
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring to the server that it may use when requesting access
> tokens and that the server is declaring to the client that it is registered
> to use when requesting access tokens.”.****
>
>  ****
>
> Again, I chose the “registered to use” language carefully – because in the
> general case it’s not a restriction on the values that the client can use –
> just a statement by the server to the client that it is registered to use
> those particular values.  In both cases, the parties are making
> declarations to one another.****
>
>  ****
>
> If you adopt that language (or keep the original language), then yes, I’d
> consider this closed.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* Justin Richer [mailto:jricher@mitre.org <jricher@mitre.org>]
> *Sent:* Monday, April 15, 2013 9:57 AM
> *To:* Mike Jones
> *Cc:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> I absolutely do not want to delete this feature, as (having implemented
> it) I think it's very useful. This is a very established pattern in manual
> registration: I know of many, many OAuth2 servers and clients that are set
> up where the client must pre-register a set of scopes.
>
> I don't like the language of "the client is declaring" because it's too
> one-sided. The client might not have declared anything, and it might be the
> server that's declaring something to the client. Deleting the "is
> declaring" bit removes that unintended restriction of the language while
> keeping the original meaning intact. I actually thought that I had fixed
> that before the last draft went in but apparently I missed this one.
>
> I will work on clarifying the intent of the whole metadata set in its
> introductory paragraph(s) so that it's clear that all of these fields are
> used in both of these situations:
>
>  1) The client declaring to the server its desire to use a particular value
>  2) The server declaring to the client that it has been registered with a
> particular value
>
> This should hopefully clear up the issue in the editor's note that I
> currently have at the top of that section right now, too.
>
> Mike, since you were the one who originally brought up the issue, and
> you're fine with the existing text, can I take this as closed now? Assuming
> that you agree with deleting "is declaring" for reasons stated above, I'm
> fine with leaving everything else as is and staying quiet on what the
> server has to do with the scopes.
>
>  -- Justin****
>
> On 04/15/2013 12:44 PM, Mike Jones wrote:****
>
>  I think that the existing wording is superior to the proposed changed
> wording.  The existing wording is:****
>
>  ****
>
>    scope****
>
>       OPTIONAL.  Space separated list of scope values (as described in****
>
>       OAuth 2.0 Section 3.3 [RFC6749]<http://tools.ietf.org/html/rfc6749#section-3.3>)
> that the client is declaring that****
>
>       it may use when requesting access tokens.  If omitted, an****
>
>       Authorization Server MAY register a Client with a default set of****
>
>       scopes.****
>
>  ****
>
> For instance, the current “client is declaring” wording will always be
> correct, whereas as the change to “client can use” wording implies a
> restriction on client behavior that is not always applicable.  The “client
> is declaring” wording was specific and purposefully chosen, and I think
> should be retained.  In particular, we can’t do anything that implies that
> only the registered scopes values can be used.  At the OAuth spec level,
> this is a hint as to possible future client behavior – not a restriction on
> future client behavior.****
>
>  ****
>
> Also, for the reasons that Tim stated, I’m strongly against any “matching”
> or “regex” language in the spec pertaining to scopes – as it’s not
> actionable.****
>
>  ****
>
> So I’d propose that we leave the existing scope wording in place.
> Alternatively, I’d also be fine with deleting this feature entirely, as I
> don’t think it’s useful in the general case.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>
> ]*On Behalf Of *Justin Richer
> *Sent:* Monday, April 15, 2013 8:05 AM
> *To:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> On 04/15/2013 10:52 AM, Tim Bray wrote:
>
>
> ****
>
> I’d use the existing wording; it’s perfectly clear.  Failing that, if
> there’s strong demand for registration of structured scopes, bless the use
> of regexes, either PCREs or some careful subset.****
>
>
> Thanks for the feedback -- Of these two choices, I'd rather leave it as-is.
>
>
>
>
> ****
>
>  ****
>
> However, I’d subtract the sentence “If omitted, an Authorization Server
> MAY register a Client with a default set of  scopes.”  It adds no value; if
> the client doesn’t declare scopes, the client doesn’t declare scopes,
> that’s all.  -T****
>
>
> Remember, all of these fields aren't just for the client *request*,
> they're also for the server's *response* to either a POST, PUT, or GET
> request. (I didn't realize it, but perhaps the wording as stated right now
> doesn't make that clear -- I need to fix that.) The value that it adds is
> if the client doesn't ask for any particular scopes, the server can still
> assign it scopes and the client can do something smart with that. Dumb
> clients are allowed to ignore it if it doesn't mean anything to them.
>
> This is how our server implementation actually works right now. If the
> client doesn't ask for anything specific at registration, the server hands
> it a bag of "default" scopes. Same thing happens at auth time -- if the
> client doesn't ask for any particular scopes, the server hands it all of
> its registered scopes as a default. Granted, on our server, scopes are just
> simple strings right now, so they get compared at the auth endpoint with an
> exact string-match metric and set-based logic.
>
>  -- Justin
>
>
>
> ****
>
>  ****
>
> On Mon, Apr 15, 2013 at 7:35 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> What would you suggest for wording here, then? Keeping in mind that we
> cannot (and don't want to) prohibit expression-based scopes.
>
>  -- Justin****
>
>  ****
>
> On 04/15/2013 10:33 AM, Tim Bray wrote:****
>
>  No, I mean it’s not interoperable at the software-developer level.  I
> can’t register scopes at authorization time with any predictable effect
> that I can write code to support, either client or server side, without
> out-of-line non-interoperable knowledge about the behavior of the server.
> ****
>
>  ****
>
> I guess I’m just not used to OAuth’s culture of having no expectation that
> things will be specified tightly enough that I can write code to implement
> as specified.  -T****
>
>  ****
>
> On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> Scopes aren't meant to be interoperable between services since they're
> necessarily API-specific. The only interoperable bit is that there's *some*
> place to put the values and that it's expressed as a bag of space-separated
> strings. How those strings get interpreted and enforced (which is really
> what's at stake here) is up to the AS and PR (or a higher-level protocol
> like UMA).
>
>  -- Justin****
>
>  ****
>
> On 04/15/2013 10:13 AM, Tim Bray wrote:****
>
> This, as written, has zero interoperability.  I think this feature can
> really only be made useful in the case where scopes are fixed strings.****
>
> -T****
>
> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org> wrote:****
>
> You are correct that the idea behind the "scope" parameter at registration
> is a constraint on authorization-time scopes that are made available. It's
> both a means for the client to request a set of valid scopes and for the
> server to provision (and echo back to the client) a set of valid scopes.
>
> I *really* don't want to try to define a matching language for scope
> expressions. For that to work, all servers would need to be able to process
> the regular expressions for all clients, even if the servers themselves
> only support simple-string scope values. Any regular expression syntax we
> pick here is guaranteed to be incompatible with something, and I think the
> complexity doesn't buy much. Also, I think you suddenly have a potential
> security issue if you have a bad regex in place on either end.
>
> As it stands today, the server can interpret the incoming registration
> scopes and enforce them however it wants to. The real trick comes not from
> assigning the values to a particular client but to enforcing them, and I
> think that's always going to be service-specific. We're just not as clear
> on that as we could be.
>
> After looking over everyone's comments so far, I'd like to propose the
> following text for that section:
>
>
> ****
>
>    scope****
>
>       OPTIONAL.  Space separated list of scope values (as described in****
>
>       OAuth 2.0 Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when ****
>
>       requesting access tokens.  As scope values are service-specific, ****
>
>       the Authorization Server MAY define its own matching rules when****
>
>       determining if a scope value used during an authorization request****
>
>       is valid according to the scope values assigned during ****
>
>       registration. Possible matching rules include wildcard patterns,****
>
>       regular expressions, or exactly matching the string. If omitted, ****
>
>       an Authorization Server MAY register a Client with a default ****
>
>       set of scopes.****
>
>
> Comments? Improvements?
>
>  -- Justin
>
>
> ****
>
> On 04/14/2013 08:23 PM, Manger, James H wrote:****
>
> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.****
>
>  ****
>
> So ideally registration should accept rules for matching scopes, as opposed to actual scope values.****
>
>  ****
>
> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").****
>
>  ****
>
> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.****
>
>  ****
>
> --****
>
> James Manger****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>   ****
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>   ****
>
>  ****
>
>   ****
>
>  ****
>
>  ****
>
>   ****
>
>   ****
>
>  ****
>
>   ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
> ** **
>
>
>

v2.35.0 | Report a Bug | By Email | System Status