IETF Logo Mail Archive

Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?

Dick Hardt <dick.hardt@gmail.com> Fri, 25 June 2010 18:18 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2227328C14D for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 11:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.474
X-Spam-Level:
X-Spam-Status: No, score=-2.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jr1CkGf1nGLG for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 11:18:38 -0700 (PDT)
Received: from mail-px0-f172.google.com (mail-px0-f172.google.com [209.85.212.172]) by core3.amsl.com (Postfix) with ESMTP id 7298A3A69A5 for <oauth@ietf.org>; Fri, 25 Jun 2010 11:18:38 -0700 (PDT)
Received: by pxi16 with SMTP id 16so214767pxi.31 for <oauth@ietf.org>; Fri, 25 Jun 2010 11:18:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=Kfp0R7Hel56d9H9T6Dsu93vjr/XrbZPXGX8HmhEMExM=; b=QQ7+gzYVhxlFt8HKKoNMZDubMKvlddDgyXUY70SeWiAyWsK7rPB31Ej0k94aGp4tES sAN+mJXQxv0k+0mQOJIIBwcdRy6puoJreKuCYqoVXimojJwvypc5rVCpylz/fsLzafiV lK58KDbUQexi0OqYUb1PRkmKHFGMbSQez6DuM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=NKilEQr2NzFfhmnwknWaLUnarpDmx5glpJZZIR4doTmlH/qLN4HUUZbLDkYk1mWHh6 7A8U5EQ9YqXy3R/NhuJfYhH/IjMxTkXqVvQnx3LS6wjEF559hT5ItpaMu/QZ7VyS+rTE eqru/+yDq3ZCd61B4qoTVQacnefMcSeBn9osk=
Received: by 10.142.120.9 with SMTP id s9mr1475921wfc.157.1277489924567; Fri, 25 Jun 2010 11:18:44 -0700 (PDT)
Received: from [192.168.1.2] (c-24-130-32-55.hsd1.ca.comcast.net [24.130.32.55]) by mx.google.com with ESMTPS id y15sm5117659wfd.10.2010.06.25.11.18.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 25 Jun 2010 11:18:44 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84994@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 25 Jun 2010 11:18:42 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <8631D908-6D38-4CE8-BEA4-2C6BE6786251@gmail.com>
References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net><E7A7F197-3BBC-43F2-8242-D0164057A39A@gmail.com><AANLkTild51WHVcXxYFCygL8sGSGiN3HILDFwIbym6Lfi@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4502869858@FIESEXC015.nsn-intra.net> <012AB2B223CB3F4BB846962876F47217059B663D@SNV-EXVS08.ds.corp.yahoo.com> <3D3C75174CB95F42AD6BCC56E5555B450286986B@FIESEXC015.nsn-intra.net> <9BBAE9AB-A0CD-448F-B817-21389C1BBCAF@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3EC84994@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1078)
Cc: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 18:18:40 -0000

I'm ok with that if we provide some guidance in the spec to implementors that recommends the use of URIs for scopes they expect to be standardized.

On 2010-06-25, at 11:14 AM, Eran Hammer-Lahav wrote:

> I like the idea of an extensibility mechanism for standard scopes, but I am not sure I like the idea of a prefix or reserved characters. Using URIs as scope values was a requirement (and something that is currently deployed by Google). We defined space-delimited to make simple strings and URIs possible as values.
> 
> My question is, why isn't URIs enough for standard scopes? Define simple strings as server-specific and allow URIs to be used in standards (which will solve potential name collisions). It might make standard scopes a bit less cool but that's not a technical argument. I also think scopes are likely to be extended a lot more than other extension types and would like to keep the process as light as possible (i.e. no registration at all).
> 
> EHL
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Dick Hardt
>> Sent: Friday, June 25, 2010 8:50 AM
>> To: Tschofenig, Hannes (NSN - FI/Espoo)
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
>> 
>> To clarify, the goal is to reserve a namespace for future use so that near term
>> implementations won't collide?
>> 
>> I expect the standardization of scope values to not be in OAuth, but in
>> standardized APIs that use OAuth, so a namespace mechanism that
>> differentiates between a standardized scope and an implementation specific
>> scope may be useful.
>> 
>> From what I have gathered, implementors are leaning towards simple strings
>> rather than URIs to declare scope. Perhaps reserving the ":" character from
>> being in a scope string unless the scope prefix has been registered with
>> IANA?
>> 
>> -- Dick
>> On 2010-06-25, at 12:59 AM, Tschofenig, Hannes (NSN - FI/Espoo) wrote:
>> 
>>> Dick pointed me to the Facebook API on how scope is used.
>>> The main page is here:
>>> http://developers.facebook.com/docs/authentication/
>>> 
>>> It describes the basic functionality and also lists an example:
>>> 
>>> "
>>> https://graph.facebook.com/oauth/authorize?
>>>   client_id=...&
>>>   redirect_uri=http://www.example.com/callback&
>>>   scope=user_photos,user_videos,publish_stream
>>> "
>>> 
>>> The values of the scope parameter are then explained here:
>>> http://developers.facebook.com/docs/authentication/permissions
>>> 
>>> Example: user_photos ... Provides access to the photos the user has
>>> uploaded
>>> 
>>> I think it provides a good example that the scope values are not opaque.
>>> Opaque (in this context) means that only the entity creating it needs to
>> understand it and nobody else. Here the client needs to understand and set
>> them.
>>> 
>>> However, one could argue that the scope values are already bound to the
>> specific entity the client requests to obtain the assertion from. In this specific
>> case it would be "https://graph.facebook.com".
>>> 
>>> To respond to the statement Dick made about having standardized values
>> later there would still be the need to decide about the structure of the
>> values now. One possibility is to just add a prefix for standardized values that
>> are not allowed to be used in other cases, such as "std:".
>>> 
>>> Ciao
>>> Hannes
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: ext William Mills [mailto:wmills@yahoo-inc.com]
>>>> Sent: Thursday, June 24, 2010 8:15 PM
>>>> To: Tschofenig, Hannes (NSN - FI/Espoo); ext Lukas Rosenstock; Dick
>>>> Hardt
>>>> Cc: OAuth WG
>>>> Subject: RE: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
>>>> 
>>>> I'm in favor of having a spaces separated list of tokens.
>>>> The only case I can think of where the client needs to handle the
>>>> scope as anything other than opaque is when it is accessing multiple
>>>> services.  To reduce the numebr of login events the client will have
>>>> to poll all the endpoints it wants to access and get all the scopes
>>>> advertized by them and submit them all, and once it has them it needs
>>>> to submit all of them in it's auth request, so we need something
>>>> that's easy for the client to put together.
>>>> 
>>>> 
>>>> -bill
>>>> 
>>>>> -----Original Message-----
>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org]
>>>>> On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
>>>>> Sent: Thursday, June 24, 2010 3:58 AM
>>>>> To: ext Lukas Rosenstock; Dick Hardt
>>>>> Cc: OAuth WG
>>>>> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
>>>>> 
>>>>> The question is whether one would ever want to have a
>>>>> standardized semantic for the scope parameter.
>>>>> If the answer to that question is "no" then it does not
>>>>> matter what the format is. It can well be a list of
>>>>> space-delimited strings (as it is currently defined).
>>>>> 
>>>>> An evironment specific semantic works well in cases where
>>>>> entity X sets the value and later it receives the value
>>>>> again. Only entity X needs to understand what it means.
>>>>> 
>>>>> In some environments the use case is slightly different,
>>>>> namely entity X and entity Y are from the same organization
>>>>> and agree on the semantic. Usage of OAuth within an
>>>>> enterprise might be such a case.
>>>>> 
>>>>> Now, the usage of the scope parameter is, however, a bit
>>>>> different in the spec. Section 4, for example, describes how
>>>>> a client obtains an access token. How does the client know
>>>>> what scope parameters to set and what the semantic is?
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: ext Lukas Rosenstock [mailto:lr@lukasrosenstock.net]
>>>>>> Sent: Thursday, June 24, 2010 10:49 AM
>>>>>> To: Dick Hardt
>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG
>>>>>> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
>>>>>> 
>>>>>> Wasn't there some concensus that URIs would be good for
>>>> scope? They
>>>>>> have "in-built namespacing" ...
>>>>>> 
>>>>>> Lukas
>>>>>> 
>>>>>> 2010/6/23 Dick Hardt <dick.hardt@gmail.com>:
>>>>>>> 
>>>>>>> On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN -
>>>>>> FI/Espoo) wrote:
>>>>>>> 
>>>>>>>> "
>>>>>>>>  scope
>>>>>>>>        OPTIONAL.  The scope of the access request
>>>>>> expressed as a list
>>>>>>>>        of space-delimited strings.  The value of the
>>>>>> "scope" parameter
>>>>>>>>        is defined by the authorization server.  If the
>>>>>> value contains
>>>>>>>>        multiple space-delimited strings, their order does
>>>>>> not matter,
>>>>>>>>        and each string adds an additional access range to the
>>>>>>>>        requested scope.
>>>>>>>> "
>>>>>>>> 
>>>>>>>> Do folks think it would be useful to have standardized values?
>>>>>>> 
>>>>>>> Not at this time. The semantics of scope are all over the
>>>>>> place. If standardized, people will feel they need to pick
>>>>> one that is
>>>>>> close to what they want, but is not exactly what they mean.
>>>>> I think it
>>>>>> is better for the AS to define what they mean by a scope
>>>>> and give it a
>>>>>> name that makes sense in that context.
>>>>>>> 
>>>>>>>> 
>>>>>>>> If the answer is "yes", then it would be useful to
>>>>>> differentiate the
>>>>>>>> standardized values from those values that are purely
>>>>>> defined locally by
>>>>>>>> the authorization server.
>>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.40.4 | Report a Bug | By Email | System Status