Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
Bill Mills <wmills_92105@yahoo.com> Mon, 17 February 2014 17:09 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500061A0246 for <oauth@ietfa.amsl.com>; Mon, 17 Feb 2014 09:09:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiH27qXMbCwB for <oauth@ietfa.amsl.com>; Mon, 17 Feb 2014 09:09:39 -0800 (PST)
Received: from nm13-vm0.bullet.mail.bf1.yahoo.com (nm13-vm0.bullet.mail.bf1.yahoo.com [98.139.213.79]) by ietfa.amsl.com (Postfix) with ESMTP id 61D001A00E6 for <oauth@ietf.org>; Mon, 17 Feb 2014 09:09:39 -0800 (PST)
Received: from [66.196.81.173] by nm13.bullet.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 17:09:36 -0000
Received: from [98.139.212.226] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 17:09:36 -0000
Received: from [127.0.0.1] by omp1035.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 17:09:36 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 671803.52286.bm@omp1035.mail.bf1.yahoo.com
Received: (qmail 93268 invoked by uid 60001); 17 Feb 2014 17:09:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1392656976; bh=jn4/b+jXZTeq+t6rVfmjzYkVBMMsFxWjf8EpVmmSkzM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=AGo7AVRGYesaL5bhSHpgDnhv8UBnu3b5/wsKdG0Xr5QFzD7m/Rc6HNh2BIQfAxdOZQocf9d7RVPwP2HfD1iEyhWxgTPnR5YHNdLPo9rInErKdjcGqbsMySWvl4hiOpLg6DRerZF3AXAy9qghCH1j4zIctAv/4+nuqx0dqsb0q7A=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=MC3j2eq0kzFxtT7rnQ079e6C66sJGfv+l5U19TJgIFNE4fiWL/grJw/tQCOoW/r3MM4QiHsR5Gy5grAFbPto7jJMuL2XXDoptQziq2E0oJqWHeyDkUqPj7QNADqpdTeVZFvpJVs7kLcEkfjJmo0EkzRrZ7+JAWN5d2cSct/arGU=;
X-YMail-OSG: GDT6H90VM1lqZgNGw99lmAHxf6VBMv6aiHCABTyetuLoFWk ARLPnG5wn5t5G37RuVGDFjSHQCrLKcF39xHAMNzqgFaF345N5Bw4Zz9_7kIT HLR7gdHdRYI7vRWL1iapA8vM.dSSf3VDgi9.Jsz4FYfaQkhjxnjnbKVHaxyL TOp0cuHtrxbzlCzHlKHtJZXQPhuQF9K.9XLqMT_83kbr.yahDf.KCM7FEAqL USO4KQFwpK4ua.sQ7hWZ6U19GqsT9sfaBKlwH7pz8U0wLF3qNcP4c0DVPL.p VDZLA5fU0hfnh5tYvQqoccGihuzkc.CLk4DklTxZcyvWgDzk5kYQggZ.wc5W Yuiai1Lp64UEsqhaqPasAVevQMyFVrJGcWKzbsoICeDyZEBWtN4rw7JI.wvB frCIij4hXlo2Qw7AksUnmPfOIcg_iLGYe1jvF0jXlI6YX5Xl2a2r.T22CQLI 9327tzEHvfK45Gfug35zCyaMxaPQNJ14AGX8pORncTK5Moa5ub5AdTqtzLB5 Wtoh6hiGlZtvwOaA3ypFyBlgLxyEtn4BZVpTYflEbi845yVW13FHzHYuN.IM 6umnU_mK9W7J8EfW0XClki5ZAKv_yu5MjknQBVqmO0SO4T6UQ7CvkiTUTCwk iVCkFmtqKz.REyi0396FXLimau1eU98qtuPiH2ondoOoRPnk4IUundVWUmWC 9NpTdZqI-
Received: from [99.31.212.42] by web142805.mail.bf1.yahoo.com via HTTP; Mon, 17 Feb 2014 09:09:36 PST
X-Rocket-MIMEInfo: 002.001, WWVzLCB0b2tlbiAjMSB3aXRoIHRoYXQgc2NvcGUgY291bGQgb25seSBhY2Nlc3MgcmVzb3VyY2UgIzMgYW5kICM0IGluIHlvdXIgZXhhbXBsZSwgdGhlIG90aGVyIHJlc291cmNlcyBkb24ndCBhbGxvdyB0aGF0IHNjb3BlLiBUaGUgb25seSBzb2x1dGlvbiBpbiBzcGVjIGlzIHRvIGhhdmUgdGhlIG90aGVyIHJlc291cmNlIG93bmVycyBhbGxvdyBhIHNjb3BlIHRoYXQgdG9rZW4gIzEgaGFzLgoKWW91J3JlIGFwcGFyZW50bHkgb3ZlcmxvYWRpbmcgYSBidW5jaCBvZiBzdHVmZiBpbiB0aGUgc2NvcGUgdGhhdCABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.177.636
References: <002301cf2ac2$f0053990$d00facb0$@reminetworks.com> <1392525020.7390.YahooMailNeo@web142801.mail.bf1.yahoo.com> <000e01cf2b7d$79a66c90$6cf345b0$@reminetworks.com> <0e9117b9bb80c29d3e3a53ab64392e94@mail.gmail.com> <1392616900.46009.YahooMailNeo@web142801.mail.bf1.yahoo.com> <005401cf2bac$fa684360$ef38ca20$@reminetworks.com>
Message-ID: <1392656976.93122.YahooMailNeo@web142805.mail.bf1.yahoo.com>
Date: Mon, 17 Feb 2014 09:09:36 -0800
From: Bill Mills <wmills_92105@yahoo.com>
To: Donald Coffin <donald.coffin@reminetworks.com>, 'Marty Burns' <marty@hypertek.us>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <005401cf2bac$fa684360$ef38ca20$@reminetworks.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1583497461-44519506-1392656976=:93122"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/m1gtByZFq1_2WOQ1IYgEblCytfQ
Cc: 'greenbutton-dev' <greenbutton-dev@googlegroups.com>
Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 17:09:44 -0000
Yes, token #1 with that scope could only access resource #3 and #4 in your example, the other resources don't allow that scope. The only solution in spec is to have the other resource owners allow a scope that token #1 has. You're apparently overloading a bunch of stuff in the scope that most would put in the access token. Are you trying to give a hint to the client about the token? On Sunday, February 16, 2014 10:54 PM, Donald Coffin <donald.coffin@reminetworks.com> wrote: Bill, We understand, per [RFC 6749], the granted SCOPE does not have to match the requested SCOPE, however, in our application a client does an exchange of supported Authorization Server Scopes to ensure the resource owner is NOT asked by the client to select a SCOPE parameter the Authorization Server will be forced to override. We also understand, per [RFC 6740], the SCOPE parameter is a space delimited list. Therefore, the following two examples are not the same: · FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 · FB=4_5_15 IntervalDuration=900 BlockDuration=monthly HistoryLength=13 BR=04 The first string represents a single SCOPE parameter, but the second string represents five (5) different SCOPE parameters. Our original definition of the SCOPE string used commas (“,”) where the first example has semi-colons (“;”), however, we found the Spring Security OAuth 2.0 framework treats commas as blanks to support a Facebook SCOPE implementation. This has recently been refactored to support the [RFC 6749] SCOPE definition, as it was found that though Facebook’s documentation calls for commas as SCOPE parameter separators, this was never implemented by Facebook. The following table defines a potential table of access tokens based on granted SCOPE strings: Owner SCOPE Grant Type Access Token Accessible by Access Token Client FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Client_credentials Token 1 NA** RO 1 FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Code Token 2 Token 2 RO 1 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Code Token 3 Token 3 RO 2 FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 4 Token 4 RO 3 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 5 Token 5 & Token 1 RO 4 FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=05 Code Token 6 Token 6 & Token 1 ** Token 1 is owned by the client and therefore does NOT own any resources for which access can be authorized. The question we are attempting to resolve is which resources can the owner of Token 1 access given the above table? If the owner of Token 1 is allowed to access ALL resources represented by Tokens 2 – 6, then we do not need to worry about identifying which resources can be accessed by using Token 1. However, if Token 1 can only be used to access the resources authorized by resource owner (RO) 3 and 4, then what is the criteria that must be used to validate that Token 1, when used, is able to access the requested resource? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From:Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Sunday, February 16, 2014 10:02 PM To: Marty Burns; Donald Coffin; oauth@ietf.org Cc: greenbutton-dev Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens The scope requested does not have to match the scope granted. Also note that space is the scope separator per the spec, so BR=04 is not equal to FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 but it's your implementation of how you want to interpret scopes. On Sunday, February 16, 2014 5:36 PM, Marty Burns <marty@hypertek.us> wrote: Don, Good comment. One point – the authorizations covered by BulkId=04 would have Scopes of: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Marty From:greenbutton-dev@googlegroups.com [mailto:greenbutton-dev@googlegroups.com] On Behalf Of Donald Coffin Sent: Sunday, February 16, 2014 8:14 PM To: 'Bill Mills'; oauth@ietf.org Cc: 'greenbutton-dev' Subject: RE: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens Bill, Thanks for your reply, but I’m not sure you fully understand the situation I am attempting to resolve. For example, does an access token obtained via the “client_credentials” request with the following SCOPE parameter: BulkID=04 allow a client to ask for resources when the individual access token contained the following SCOPE parameter: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 The question is what individual access token authorization should be covered by the “client_credentials” based access token? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From:Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Saturday, February 15, 2014 8:30 PM To: Donald Coffin; oauth@ietf.org Cc: greenbutton-dev Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens To tokens themselves don't differ based on how they are obtained unless you want them to. No requirement to match scope to the client ID either, but again it's up to you. You do want to get this right. The challenge here is that your resource servers have to get updated to support new scopes. If they support auto-updates then it's not quite as big a deal but it's still non-trivial. -bill On Saturday, February 15, 2014 7:01 PM, Donald Coffin <donald.coffin@reminetworks.com> wrote: I would like to get the views and comments of the OAuth 2.0 IETF WG on the following design and implementation question: I have an application that supports both “authorization_code” and “client_credentials” based access tokens. The application allows a client to obtain data on a nightly basis for resource owners who have granted the application access to their data. The client application retrieves energy usage information and can potentially need to retrieve data from a few accounts to several million accounts. In order to eliminate the need for the client application to request the data from the resource server one account at a time, the client application has been designed to support “client_credentials” based access tokens. Per [RFC 6749 Section 4.4 – “Client Credentials Grant”] The use of the “client_credentials” based access token will allow the client application to obtain access to the data with a single request, thus significantly reducing the amount of network traffic for both the client and the resource server. The question the design team is struggling with is what should the Scope string be for the “client_credentials” based access token and should there be a single access token or can there be multiple “client_credentials” based access tokens? The client application currently supports the following Scope definitions: · FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 · FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 There are several allowable values for the FB=, IntervalDuration=, BlockDuration=, and HistoryLength= values. At the moment, there are only two defined Scope values, but as you can see, there could easily be many more potential possibilities. The question being discussed, is does the “client_credentials” access token request Scope parameter need to match either of the above two strings or can it be something altogether different? In the event the “client_credentials” access token request Scope parameter needs to match a defined Scope string, does that mean that there MUST be multiple “client_credentials” based access tokens? Thanks in advance for helping clarify our understanding of the relationship between “authorization_code” and “client_credentials” based access tokens. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- You received this message because you are subscribed to the Google Groups "greenbutton-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to greenbutton-dev+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
- [OAUTH-WG] Scope parameter values for "authorizat… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Marty Burns