IETF Logo Mail Archive

Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Tue, 30 November 2010 17:24 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 229F928C0D9 for <oauth@core3.amsl.com>; Tue, 30 Nov 2010 09:24:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.266
X-Spam-Level:
X-Spam-Status: No, score=-5.266 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQyeOOz8+DEC for <oauth@core3.amsl.com>; Tue, 30 Nov 2010 09:24:46 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 4FAFC3A6BCC for <oauth@ietf.org>; Tue, 30 Nov 2010 09:24:45 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id oAUHPsr8021924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Nov 2010 11:25:54 -0600 (CST)
Received: from [135.244.2.139] ([135.244.2.139]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAUHPrkk006870; Tue, 30 Nov 2010 11:25:53 -0600 (CST)
Message-ID: <4CF533A1.9050108@alcatel-lucent.com>
Date: Tue, 30 Nov 2010 12:25:53 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Nat Sakimura <sakimura@gmail.com>
References: <20101126094122.53764oqlukyiow4y@ugs.tarent.de> <90C41DD21FB7C64BB94121FBBC2E72343D4B065398@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4CF01805.7030607@alcatel-lucent.com> <AANLkTimbgd6g5RS-dKdEJ31CvFJoZrrnLeJyV8r-=-+h@mail.gmail.com>
In-Reply-To: <AANLkTimbgd6g5RS-dKdEJ31CvFJoZrrnLeJyV8r-=-+h@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 17:24:48 -0000

Nat Sakimura wrote:
> I think such things are better dealt with extensions.
>   
Sure. But first we need to define that which we will later extend.
> I do not like to overload "scope".
>   

Neither do I, as long as "overloading"  means varying the original 
semantics. But, again, at the moment we have no definition of "scope."
> =nat
>
> On Sat, Nov 27, 2010 at 5:26 AM, Igor Faynberg
> <igor.faynberg@alcatel-lucent.com> wrote:
>   
>> In the context of Martin's question (which concerns end-users understanding
>> and resulting actions), I interpret the citation as follows: The end-user
>> has no control over the value of the "scope" parameter, and, given that "it
>> is defined by the authorization server," the end-user is not expected  even
>> to understand this value. Granted, an implementation can of course fix this
>> specific issue, but the standard does not address it.
>>
>> Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by
>> careful specification of the "scope" values in the future, but I know that
>> 2.0 needs to be out and that it has high-priority items (such as security)
>> to be dealt with right now. I don't want to delay 2.0 by suggesting drastic
>> changes in the design decisions, so I am not harping on the seeming
>> irrelevance of the end-user.
>>
>> With the view of OAuth evolution though, I would like to see the whole token
>> standardized, with the end-user having the overall control of the
>> token--even if in the default situation it is still prepared by the
>> authorization server-- with the ability to assign or change (or both) any
>> value contained in it.
>>
>> Igor
>>
>>
>> Eran Hammer-Lahav wrote:
>>     
>>> -10 4.2:
>>>
>>>   scope
>>>         OPTIONAL.  The scope of the access token as a list of space-
>>>         delimited strings.  The value of the "scope" parameter is
>>>         defined by the authorization server.  If the value contains
>>>         multiple space-delimited strings, their order does not matter,
>>>         and each string adds an additional access range to the
>>>         requested scope.  The authorization server SHOULD include the
>>>         parameter if the requested scope is different from the one
>>>         requested by the client.
>>>
>>> EHL
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>>> Of Martin Ley
>>>> Sent: Friday, November 26, 2010 12:41 AM
>>>> To: oauth@ietf.org
>>>> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not
>>>> all
>>>>
>>>> Dear list,
>>>>
>>>> perhaps I've overread it in the specification or it was not explicit
>>>> about my
>>>> required scenario:
>>>>
>>>>
>>>> The Web-Server-Flow is used. An application requests data about the user.
>>>> The scopes are dateofbirth,isover18,address. Now the user is forwarded to
>>>> the authorization server to identify and authenticate and give
>>>> permissions to
>>>> the applications. The user decides to give only permission for the
>>>> isover18
>>>> scope but not dateofbirth and address.
>>>>
>>>> How would the application be notified about the granted scopes and the
>>>> not
>>>> granted scopes?
>>>>
>>>> Best regards
>>>>
>>>> Martin
>>>>
>>>>
>>>> --
>>>> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
>>>> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID
>>>> (VAT):
>>>> DE122264941
>>>>
>>>> Heilsbachstraße 24, 53123 Bonn,   Telefon: +49 228 52675-0
>>>> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
>>>> Internet: http://www.tarent.de/   Telefax: +49 228 52675-25
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>         
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>       
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>     
>
>
>
>

v2.23.0 | Report a Bug | By Email