Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)

Blaine Cook <romeda@gmail.com> Sun, 18 December 2011 17:49 UTC

Return-Path: <romeda@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF9121F853A for <oauth@ietfa.amsl.com>; Sun, 18 Dec 2011 09:49:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpDP29B0RL1r for <oauth@ietfa.amsl.com>; Sun, 18 Dec 2011 09:49:47 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id A0B0921F852E for <oauth@ietf.org>; Sun, 18 Dec 2011 09:49:47 -0800 (PST)
Received: by obcuz6 with SMTP id uz6so1432770obc.31 for <oauth@ietf.org>; Sun, 18 Dec 2011 09:49:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YJ5Err7fIik0BHYZUtK9RgnLyYvzOqK7boMrci9PDX0=; b=RT6qj3T2aeMucNJKi3iPsArQaQgHwpA1BAS6GU/AqIgw2o8h9bNGrwZZVY/10S8rZ/ wdLiC0uUcSB4X8HyRZtncDPdgKyN/cVeXkn9HBtT4AO36RbaHZbSTzs9PhgjakA7vcXE e7p+amkmvtUlnz7sz8JVPRJlMf5inTOT77LE4=
Received: by 10.182.159.99 with SMTP id xb3mr8562303obb.8.1324230587242; Sun, 18 Dec 2011 09:49:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.47.131 with HTTP; Sun, 18 Dec 2011 09:49:26 -0800 (PST)
In-Reply-To: <CAJ2WPXgB0MudnuYjT8AUi-puSPSQS5kQ3T4h8=VJiOku2cx2Lg@mail.gmail.com>
References: <CAKaEYh+WRAnq9VXVn_FWUrHGNNSUS=aUompeXefVWGsQ-yiTLQ@mail.gmail.com> <CAJ2WPXgB0MudnuYjT8AUi-puSPSQS5kQ3T4h8=VJiOku2cx2Lg@mail.gmail.com>
From: Blaine Cook <romeda@gmail.com>
Date: Sun, 18 Dec 2011 17:49:26 +0000
Message-ID: <CAAz=scniUci7-FDaVA9n78TpgH2c3rdeHV90ue6YCrn5E-NkvA@mail.gmail.com>
To: Doug Tangren <d.tangren@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2011 17:49:48 -0000

On 18 December 2011 17:22, Doug Tangren <d.tangren@gmail.com> wrote:
>
> On Sun, Dec 18, 2011 at 12:05 PM, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>>
>> Is this kind of flow possibly with OAuth 2.0, and if so whose
>> responsibility is it to maintain the list of agents than can access
>> the resource?
>
> The scope parameter fulfills this role. It would be up to the service to
> document the scope for clients, the auth server to ask the user if they
> wished allow the client this extra scope of access, and the resource server
> to interpret the scope for the particular request.

It's not necessary to use the scope parameter; you'd probably want
some private API that allows an authenticated client to say something
like: "User x is also allowed to access this resource", and when User
X's client obtains an access token, they'll be able to access the
resource in question.

The ACL in any event is the responsibility of the service provider, as
the service provider is the only entity able to enforce access
control.

b.