Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

George Fletcher <gffletch@aol.com> Wed, 27 January 2016 16:53 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80751A9031 for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hPMykgu9btL for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:53:41 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D7F21A903C for <oauth@ietf.org>; Wed, 27 Jan 2016 08:53:40 -0800 (PST)
Received: from mtaout-mcb02.mx.aol.com (mtaout-mcb02.mx.aol.com [172.26.50.174]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id BEDFA3800909; Wed, 27 Jan 2016 11:53:38 -0500 (EST)
Received: from [10.172.102.147] (unknown [10.172.102.147]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mcb02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 750CA38000089; Wed, 27 Jan 2016 11:53:38 -0500 (EST)
To: Thomas Broyer <t.broyer@gmail.com>, Sergey Beryozkin <sberyozkin@gmail.com>, Justin Richer <jricher@mit.edu>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com> <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com> <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com> <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com> <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com> <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com> <56A8F3A5.8060002@aol.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A8F612.7040208@aol.com>
Date: Wed, 27 Jan 2016 11:53:38 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56A8F3A5.8060002@aol.com>
Content-Type: multipart/alternative; boundary="------------010605050106000605050106"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453913618; bh=U+FLm1viFoUbvlzxvzSvI5dNZPs0JEpPnedTVqyMw8A=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=8PwCB+9Tr624iinLi9MQzoRLHvIBB86oN3uJPenDhbM9iWg8lbLb22kMXazkyliXS kzSLD/IRa41tlWFW5zMnbMPgM5X7U29VMfndOudXWLGSQyhWYER5/fcTHCSA5fbwCO vRrEIbXEekuM9lDr+7E48bLYS4C0uugC2CDAZ0Qk=
x-aol-sid: 3039ac1a32ae56a8f6127d9d
X-AOL-IP: 10.172.102.147
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lGFHdij0LtCB_gVv9wqexWqc0mo>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 16:53:42 -0000

My recommendation, like the others, is to store consent by 
client_id:user and then try and leverage dynamic client registration if 
instance level consent is needed.

On 1/27/16 11:43 AM, George Fletcher wrote:
> Yes, I was thinking mostly of "native apps"... though you bring up a 
> good point. It would be great if "installable" web apps could do 
> dynamic client registration:)  I suppose for a "public" client that is 
> loaded onto a device, the "installation" process could obtain a new 
> client_id for that instance. Cookies might work, or have the app 
> generate a unique identifier and use that in conjunction with the 
> client_id?
>
> Thanks,
> George
>
> On 1/27/16 11:07 AM, Thomas Broyer wrote:
>>
>>
>> On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com 
>> <mailto:gffletch@aol.com>> wrote:
>>
>>     The difference might be whether you want to store the scope
>>     consent by client "instance" vs client_id application "class".
>>
>>
>> Correct me if I'm wrong but this only makes sense for "native apps", 
>> not for web apps, right?
>> (of course, now with "installable web apps" –e.g. progressive web 
>> apps–, lines get blurry; any suggestion how you'd do it then? cookies?)
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth