Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
Bill Mills <wmills_92105@yahoo.com> Mon, 17 February 2014 06:01 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F0F1A034B for <oauth@ietfa.amsl.com>; Sun, 16 Feb 2014 22:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEQY3U_IdU07 for <oauth@ietfa.amsl.com>; Sun, 16 Feb 2014 22:01:43 -0800 (PST)
Received: from nm34-vm5.bullet.mail.bf1.yahoo.com (nm34-vm5.bullet.mail.bf1.yahoo.com [72.30.239.77]) by ietfa.amsl.com (Postfix) with ESMTP id 276A21A02DD for <oauth@ietf.org>; Sun, 16 Feb 2014 22:01:43 -0800 (PST)
Received: from [66.196.81.172] by nm34.bullet.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 06:01:40 -0000
Received: from [98.139.212.212] by tm18.bullet.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 06:01:40 -0000
Received: from [127.0.0.1] by omp1021.mail.bf1.yahoo.com with NNFMP; 17 Feb 2014 06:01:40 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 448201.60580.bm@omp1021.mail.bf1.yahoo.com
Received: (qmail 44103 invoked by uid 60001); 17 Feb 2014 06:01:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1392616900; bh=Mnuhkxev5EsCKPU63KyJGDwqWptvapzFNkW4wv7Unvs=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=fvmFCMcU+aJc8xhlKkr8pdu7v7Tmgsgq2zCV9LaKNhkeaUBQ1jFD7PAE3GlidCMT5MSQ5vznnR79vjznItiNibb16Xb2J07McXfQV08+5xJbUzVI/a8ICVAnWgEkjw/DYN+7zf03hyi7zsXGcqPqaoaEdGlLxc5KEqM04zZgkCQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=TFbc5CM6HvN6Z+0gj45mHokT5Es/wwhe5Pl7+/c21u1WJQtwvNx9TKbxIf8ivwy4NMJSFo4kt5c4DNbKVb12XdlcBMBsF12Ibg0JPyn7tkU4/vBCslZdYD3IPrI52y1ET4ubBFtMbKPtoZs2p0872/F+9bnRwVLvnl+RNEo7f30=;
X-YMail-OSG: EGoDPlMVM1kP42NTY01lf31Uda3Drh3S7dW4zpiSmE1fmfr NJZxhyMayOdde8PadyMOn7WDe.L1D2D97tMgMpTkdTemdZ0SF_oCYN.SbmSX BLJNa.pshaLYLjjwpZJXuZZl3qERA9PUoi2CkQI4iYmK5Ak31rIKnVB.dBUV RP7sihAfN1WxGWQAUgCY8YjrAXmJu7_MGA_n37rmjz55sPTFKas16.y0YQYo L0p2XUHLmeCdPr8PUPIoN1VLjaSC3pKmIkJn2CzyrbldYqd6k4FLQMRLCy0t XCy0lCh.18gXkXPkahwlMTqgrqSX5F_QHQXlWKn48iP.vMtKtcx0w7XyWhtA NMKj0zGthSyfmskAGj_PY4kFDAjmopNXM8MueC9nfJNQ8E5HTAxoOv9Gn6sj 1vi3ZfAes..WSXfO8aPErTaTuAmtz9U88rQwKJPc4hU0qG24MbqAlOxjMfUz vyu3kpHecndgG5ObUS_cBn2eq.U4aE63cebdnlSwP9aUXirWqaR31pCgwjYF S5NLgYov9lF.D5MwZ7Q9PFT0P1PY_twZcDsbStMQoHcqyqhhpuIffo5HlaMU 8ZGSG2YBAOP0CBPG8CtdZnYjTdLlvc5iu49VRlTG55jYsZroc.n0221gnbVC TiQd1MM4POQTukITf6obE.53lteKKecRJbkt5M0Y.djL20g1RudG1eAya.Kh v27JUFNI-
Received: from [99.31.212.42] by web142801.mail.bf1.yahoo.com via HTTP; Sun, 16 Feb 2014 22:01:40 PST
X-Rocket-MIMEInfo: 002.001, VGhlIHNjb3BlIHJlcXVlc3RlZCBkb2VzIG5vdCBoYXZlIHRvIG1hdGNoIHRoZSBzY29wZSBncmFudGVkLiDCoAoKQWxzbyBub3RlIHRoYXQgc3BhY2UgaXMgdGhlIHNjb3BlIHNlcGFyYXRvciBwZXIgdGhlIHNwZWMsIHNvIEJSPTA0IGlzIG5vdCBlcXVhbCB0byBGQj00XzVfMTU7SW50ZXJ2YWxEdXJhdGlvbj05MDA7QmxvY2tEdXJhdGlvbj1tb250aGx5O0hpc3RvcnlMZW5ndGg9MTM7QlI9MDQgYnV0IGl0J3MgeW91ciBpbXBsZW1lbnRhdGlvbiBvZiBob3cgeW91IHdhbnQgdG8gaW50ZXJwcmV0IHNjb3Blcy4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.177.636
References: <002301cf2ac2$f0053990$d00facb0$@reminetworks.com> <1392525020.7390.YahooMailNeo@web142801.mail.bf1.yahoo.com> <000e01cf2b7d$79a66c90$6cf345b0$@reminetworks.com> <0e9117b9bb80c29d3e3a53ab64392e94@mail.gmail.com>
Message-ID: <1392616900.46009.YahooMailNeo@web142801.mail.bf1.yahoo.com>
Date: Sun, 16 Feb 2014 22:01:40 -0800
From: Bill Mills <wmills_92105@yahoo.com>
To: Marty Burns <marty@hypertek.us>, Donald Coffin <donald.coffin@reminetworks.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <0e9117b9bb80c29d3e3a53ab64392e94@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="469468616-904707550-1392616900=:46009"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mz0KgjJKPfcNrVUyO51dJyG2lRw
Cc: greenbutton-dev <greenbutton-dev@googlegroups.com>
Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 06:01:47 -0000
The scope requested does not have to match the scope granted. Also note that space is the scope separator per the spec, so BR=04 is not equal to FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 but it's your implementation of how you want to interpret scopes. On Sunday, February 16, 2014 5:36 PM, Marty Burns <marty@hypertek.us> wrote: Don, Good comment. One point – the authorizations covered by BulkId=04 would have Scopes of: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13;BR=04 Marty From:greenbutton-dev@googlegroups.com [mailto:greenbutton-dev@googlegroups.com] On Behalf Of Donald Coffin Sent: Sunday, February 16, 2014 8:14 PM To: 'Bill Mills'; oauth@ietf.org Cc: 'greenbutton-dev' Subject: RE: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens Bill, Thanks for your reply, but I’m not sure you fully understand the situation I am attempting to resolve. For example, does an access token obtained via the “client_credentials” request with the following SCOPE parameter: BulkID=04 allow a client to ask for resources when the individual access token contained the following SCOPE parameter: FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 The question is what individual access token authorization should be covered by the “client_credentials” based access token? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com From:Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Saturday, February 15, 2014 8:30 PM To: Donald Coffin; oauth@ietf.org Cc: greenbutton-dev Subject: Re: [OAUTH-WG] Scope parameter values for "authorization_code" and "client_credentials" based access tokens To tokens themselves don't differ based on how they are obtained unless you want them to. No requirement to match scope to the client ID either, but again it's up to you. You do want to get this right. The challenge here is that your resource servers have to get updated to support new scopes. If they support auto-updates then it's not quite as big a deal but it's still non-trivial. -bill On Saturday, February 15, 2014 7:01 PM, Donald Coffin <donald.coffin@reminetworks.com> wrote: I would like to get the views and comments of the OAuth 2.0 IETF WG on the following design and implementation question: I have an application that supports both “authorization_code” and “client_credentials” based access tokens. The application allows a client to obtain data on a nightly basis for resource owners who have granted the application access to their data. The client application retrieves energy usage information and can potentially need to retrieve data from a few accounts to several million accounts. In order to eliminate the need for the client application to request the data from the resource server one account at a time, the client application has been designed to support “client_credentials” based access tokens. Per [RFC 6749 Section 4.4 – “Client Credentials Grant”] The use of the “client_credentials” based access token will allow the client application to obtain access to the data with a single request, thus significantly reducing the amount of network traffic for both the client and the resource server. The question the design team is struggling with is what should the Scope string be for the “client_credentials” based access token and should there be a single access token or can there be multiple “client_credentials” based access tokens? The client application currently supports the following Scope definitions: · FB=4_5_15;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 · FB=4_5_16;IntervalDuration=900;BlockDuration=monthly;HistoryLength=13 There are several allowable values for the FB=, IntervalDuration=, BlockDuration=, and HistoryLength= values. At the moment, there are only two defined Scope values, but as you can see, there could easily be many more potential possibilities. The question being discussed, is does the “client_credentials” access token request Scope parameter need to match either of the above two strings or can it be something altogether different? In the event the “client_credentials” access token request Scope parameter needs to match a defined Scope string, does that mean that there MUST be multiple “client_credentials” based access tokens? Thanks in advance for helping clarify our understanding of the relationship between “authorization_code” and “client_credentials” based access tokens. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- You received this message because you are subscribed to the Google Groups "greenbutton-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to greenbutton-dev+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
- [OAUTH-WG] Scope parameter values for "authorizat… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Bill Mills
- Re: [OAUTH-WG] Scope parameter values for "author… Donald Coffin
- Re: [OAUTH-WG] Scope parameter values for "author… Marty Burns