Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Tue, 30 November 2010 17:24 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 229F928C0D9 for <oauth@core3.amsl.com>; Tue, 30 Nov 2010 09:24:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.266
X-Spam-Level:
X-Spam-Status: No, score=-5.266 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQyeOOz8+DEC for <oauth@core3.amsl.com>; Tue, 30 Nov 2010 09:24:46 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 4FAFC3A6BCC for <oauth@ietf.org>; Tue, 30 Nov 2010 09:24:45 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id oAUHPsr8021924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Nov 2010 11:25:54 -0600 (CST)
Received: from [135.244.2.139] ([135.244.2.139]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAUHPrkk006870; Tue, 30 Nov 2010 11:25:53 -0600 (CST)
Message-ID: <4CF533A1.9050108@alcatel-lucent.com>
Date: Tue, 30 Nov 2010 12:25:53 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Nat Sakimura <sakimura@gmail.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4CF01805.7030607@alcatel-lucent.com> <AANLkTimbgd6g5RS-dKdEJ31CvFJoZrrnLeJyV8r-=-+h@mail.gmail.com>
In-Reply-To: <AANLkTimbgd6g5RS-dKdEJ31CvFJoZrrnLeJyV8r-=-+h@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 17:24:48 -0000
Nat Sakimura wrote: > I think such things are better dealt with extensions. > Sure. But first we need to define that which we will later extend. > I do not like to overload "scope". > Neither do I, as long as "overloading" means varying the original semantics. But, again, at the moment we have no definition of "scope." > =nat > > On Sat, Nov 27, 2010 at 5:26 AM, Igor Faynberg > <igor.faynberg@alcatel-lucent.com> wrote: > >> In the context of Martin's question (which concerns end-users understanding >> and resulting actions), I interpret the citation as follows: The end-user >> has no control over the value of the "scope" parameter, and, given that "it >> is defined by the authorization server," the end-user is not expected even >> to understand this value. Granted, an implementation can of course fix this >> specific issue, but the standard does not address it. >> >> Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by >> careful specification of the "scope" values in the future, but I know that >> 2.0 needs to be out and that it has high-priority items (such as security) >> to be dealt with right now. I don't want to delay 2.0 by suggesting drastic >> changes in the design decisions, so I am not harping on the seeming >> irrelevance of the end-user. >> >> With the view of OAuth evolution though, I would like to see the whole token >> standardized, with the end-user having the overall control of the >> token--even if in the default situation it is still prepared by the >> authorization server-- with the ability to assign or change (or both) any >> value contained in it. >> >> Igor >> >> >> Eran Hammer-Lahav wrote: >> >>> -10 4.2: >>> >>> scope >>> OPTIONAL. The scope of the access token as a list of space- >>> delimited strings. The value of the "scope" parameter is >>> defined by the authorization server. If the value contains >>> multiple space-delimited strings, their order does not matter, >>> and each string adds an additional access range to the >>> requested scope. The authorization server SHOULD include the >>> parameter if the requested scope is different from the one >>> requested by the client. >>> >>> EHL >>> >>> >>> >>>> -----Original Message----- >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>>> Of Martin Ley >>>> Sent: Friday, November 26, 2010 12:41 AM >>>> To: oauth@ietf.org >>>> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not >>>> all >>>> >>>> Dear list, >>>> >>>> perhaps I've overread it in the specification or it was not explicit >>>> about my >>>> required scenario: >>>> >>>> >>>> The Web-Server-Flow is used. An application requests data about the user. >>>> The scopes are dateofbirth,isover18,address. Now the user is forwarded to >>>> the authorization server to identify and authenticate and give >>>> permissions to >>>> the applications. The user decides to give only permission for the >>>> isover18 >>>> scope but not dateofbirth and address. >>>> >>>> How would the application be notified about the granted scopes and the >>>> not >>>> granted scopes? >>>> >>>> Best regards >>>> >>>> Martin >>>> >>>> >>>> -- >>>> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH >>>> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID >>>> (VAT): >>>> DE122264941 >>>> >>>> Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 >>>> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30 >>>> Internet: http://www.tarent.de/ Telefax: +49 228 52675-25 >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > >
- [OAUTH-WG] Requesting mutliple scope, but user au… Martin Ley
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Eran Hammer-Lahav
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Nat Sakimura
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Igor Faynberg
- Re: [OAUTH-WG] Requesting mutliple scope, but use… David Primmer
- Re: [OAUTH-WG] Requesting mutliple scope, but use… Justin Richer