Re: [OAUTH-WG] 'Scope' parameter proposal
Chasen Le Hara <chasen@ironmoney.com> Thu, 22 April 2010 00:36 UTC
Return-Path: <chasen@ironmoney.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68E7B3A67F0 for <oauth@core3.amsl.com>; Wed, 21 Apr 2010 17:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.93
X-Spam-Level:
X-Spam-Status: No, score=0.93 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovTWP6s8D0+7 for <oauth@core3.amsl.com>; Wed, 21 Apr 2010 17:36:40 -0700 (PDT)
Received: from mail-iw0-f194.google.com (mail-iw0-f194.google.com [209.85.223.194]) by core3.amsl.com (Postfix) with ESMTP id 20BF23A67A3 for <oauth@ietf.org>; Wed, 21 Apr 2010 17:36:40 -0700 (PDT)
Received: by iwn32 with SMTP id 32so5055515iwn.18 for <oauth@ietf.org>; Wed, 21 Apr 2010 17:36:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.15.68 with HTTP; Wed, 21 Apr 2010 17:36:27 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7FA4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <620F3756-E159-4EF3-99DC-6D74CC869739@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F48B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <h2xc334d54e1004200918s4bea7c3ez8ce69bb1a9c18151@mail.gmail.com> <530467FD-2F27-4CF7-BEFF-07ACEAD6C2AD@xmlgrrl.com> <z2y4c07358b1004211322j6b018305l50ad3e130b49a905@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7FA4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 21 Apr 2010 17:36:27 -0700
Received: by 10.231.152.79 with SMTP id f15mr2375719ibw.19.1271896587656; Wed, 21 Apr 2010 17:36:27 -0700 (PDT)
Message-ID: <n2s4c07358b1004211736q63841b11w51818f6cf22559c6@mail.gmail.com>
From: Chasen Le Hara <chasen@ironmoney.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001636c92aa34c5d4e0484c880db"
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 00:36:41 -0000
Your original proposal seems like it would do the trick, although I would make the allowed scope values as flexible as possible while allowing multiple scope values to be separated by commas or spaces. If the scope values were opaque to the client, then a server could use values such as "accounts", "read:accounts", or "GET:accounts". This would fit my needs for Iron Money. As proposed, the server could respond to unauthorized requests with the minimum scope values required to make the client’s next request successful. Hopefully this is the kind of feedback you were looking for. -Chasen On Wed, Apr 21, 2010 at 2:41 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > How about review the proposals? > > > > EHL > > > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Chasen Le Hara > *Sent:* Wednesday, April 21, 2010 1:23 PM > *To:* Eve Maler > *Cc:* jsmarr@stanfordalumni.org; OAuth WG > > *Subject:* Re: [OAUTH-WG] 'Scope' parameter proposal > > > > Hi all, > > > > On Tue, Apr 20, 2010 at 6:05 PM, Eve Maler <eve@xmlgrrl.com> wrote: > > It seems like this proposal "goes there" in terms of getting as expressive > as Eran fears, though the addition of the wildcard takes away a good deal of > the pain depending on the particular interface at the endpoint(s). Is there > any wider interest in "going there"? > > > > Yes. A couple months ago Iron Money implemented a permissions system[1] > that includes read_permissions and write_permissions as parameters when > getting a request token. Those two parameters take a comma-separated list of > pre-defined resource values (such as "write_permissions=accounts" for read > and write permissions for the /accounts/ resource). > > > > If what is specified by OAuth 2.0 doesn’t meet Iron Money’s needs, that’s > fine, but I wanted to raise my hand high as one of the people interested in > a high level of expressiveness. > > -Chasen > > > > [1] https://ironmoney.com/api/permissions/ >
- [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal David Recordon
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Dick Hardt
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- [OAUTH-WG] Consistency in access token parameter Luke Shepard
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal John Panzer
- Re: [OAUTH-WG] 'Scope' parameter proposal Keenan, Bill
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard