IETF Logo Mail Archive

Re: [OAUTH-WG] 'Scope' parameter proposal

John Kemp <john@jkemp.net> Mon, 19 April 2010 23:01 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE2943A6958 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 16:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.373
X-Spam-Level:
X-Spam-Status: No, score=-0.373 tagged_above=-999 required=5 tests=[AWL=-1.308, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_57=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1nrX-BH7mrW for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 16:01:22 -0700 (PDT)
Received: from outbound-mail-158.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 860243A6978 for <oauth@ietf.org>; Mon, 19 Apr 2010 16:01:21 -0700 (PDT)
Received: (qmail 2615 invoked by uid 0); 19 Apr 2010 23:01:13 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy2.bluehost.com with SMTP; 19 Apr 2010 23:01:13 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=UWAgatPFgqyayuDFt6IrRbidDA71WiXuSKQrtDzTtRl6jJiLGM/LLMuyMW4O9L86pVjia9r13RE6toJo4RLIdH/ZrfVMXARI45YtvsYONn1LZriP6vnbb0IiEPXbBm34;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.103]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1O3zxo-0001Xq-Nd; Mon, 19 Apr 2010 17:01:13 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 19 Apr 2010 19:01:10 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8A2051B5-184E-43F8-9000-01273790505C@jkemp.net>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 23:01:24 -0000

On Apr 19, 2010, at 6:17 PM, Eran Hammer-Lahav wrote:

[...]


>>> 
>> 
>> I think that there is much that is unspecified in this model and thus it doesn't
>> provide much interoperability. If we don't tell the client what to do with the
>> scope, and we don't specify what a server means by supplying a scope, I'm
>> not sure what the point is to specifying this at all as clients will still need some
>> documentation or be hard-coded (which token service do I get such a token
>> from?)
> 
> Why?
> 
> The server tells the client what scope is needed for each resource. It can be a single scope id or multiple. The client checks to see if it has an access token issued with that scope combination. If it doesn't it goes and request an access token, and includes the required scope in the request. We can also allow the server to tell the client what scope an issued token includes in the token reply.
> 
> The client doesn't need to understand the internal structure of the scope identifiers. It just need to know what to ask for when trying to access an unfamiliar resource. No documentation is needed.

Which server does the client ask to get a token with the particular scope which was asked for? How does the client determine that it's OK to ask server B for a token with scope X at server A?

> 
> Client: I want to get an address book record with the latest email to that person.
> Server: You need an access token scoped for "Contact" and "Email".
> Client: Can I get an access token for scope=contact,email?

To whom does the client address the above question? How does the client know that server's URL without it either being available in documentation or hard-coded inside the client? 

I'm just questioning whether the "amount of interoperability" you get (client still needs to read some documentation in order to participate) is sufficient to make the specification of 'scope' worthwhile on its own, unless we supply it with some more shared semantics. 

- johnk

v2.23.0 | Report a Bug | By Email