Re: [OAUTH-WG] Scope - Coming to a Consensus

Pelle Braendgaard <pelle@stakeventures.com> Fri, 30 April 2010 21:13 UTC

Return-Path: <pelleb@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6AD73A6C31 for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 14:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.283
X-Spam-Level:
X-Spam-Status: No, score=-0.283 tagged_above=-999 required=5 tests=[AWL=-0.395, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_62=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id En7ONNBuDQYG for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 14:13:39 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id A401B3A6C23 for <oauth@ietf.org>; Fri, 30 Apr 2010 14:13:37 -0700 (PDT)
Received: by fxm4 with SMTP id 4so623848fxm.31 for <oauth@ietf.org>; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=wa0F1uSoTpRDH/GyOf1bcZNsUCrJbCDHxHp9dQei0D4=; b=PZuPtjNuWolACwd5KtwxX3HmceOVEV1NGjwnnQSkJ0aQO1yp6Se1yz1m9EHt7GK9NZ 1WO/YHBDBoH5VfNO706beY81wsulehNGVtTxhuPIPYSAwH+t9YyH1Wbk/XBS9ayZPoa0 4OOFhhmd/ZzbdrooJ2vHNqUFBb2g7UNxYQi3k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=Kv8U/uGD92hfmbmLYBDU5kqT1Qeje0r/NsyVKppLwMXx/NLdMEkiUSJjVRmV1y7E5x F6N89kf14WQWIw351YekNPc2aO7kZPeXQEdjcXlb/77P5dlAH6dodKcaob3qE+UmoMPz YXHHetwcBDjF+8cdH7+hOsmczcVP4ibnO3wxE=
MIME-Version: 1.0
Received: by 10.223.5.81 with SMTP id 17mr1673042fau.42.1272662000386; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
Sender: pelleb@gmail.com
Received: by 10.223.111.205 with HTTP; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
In-Reply-To: <m2tc334d54e1004301352zf2a7f1cbi3fc90525ffddbf8@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723439321772EF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C80078D0.2D681%atom@yahoo-inc.com> <m2tc334d54e1004301352zf2a7f1cbi3fc90525ffddbf8@mail.gmail.com>
Date: Fri, 30 Apr 2010 17:13:20 -0400
X-Google-Sender-Auth: f4473478c09935e8
Message-ID: <m2jce1325031004301413x6f4b3341h5e8844311d109a79@mail.gmail.com>
From: Pelle Braendgaard <pelle@stakeventures.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [OAUTH-WG] Scope - Coming to a Consensus
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 21:13:41 -0000

+1 for #3

Since google implemented I always thought it an elegant simple way of
requesting access.

On Fri, Apr 30, 2010 at 4:52 PM, Joseph Smarr <jsmarr@gmail.com> wrote:
> I also vote for #3. I think our field experience has shown that a) lack of a
> standard place to stick scope info in access token requests leads to
> per-provider inconsistencies that further complicate libraries, b) lots of
> providers do want to offer scoped access tokens (and show the list of scopes
> being requested on consent UI), and c) we're likely to want to have some
> cross-vendor standard scopes (e.g. "access profile data", PoCo, "post
> activities", etc.) so it's natural to express those as URIs, thus favoring
> space-delimited scope values.
> Thanks,js
>
> On Fri, Apr 30, 2010 at 12:08 PM, Allen Tom <atom@yahoo-inc.com> wrote:
>>
>> I vote for #3
>>
>> There are already plenty of implementations that use a scope parameter:
>>
>> Facebook:
>> http://developers.facebook.com/docs/authentication/
>>
>> Google:
>> http://code.google.com/apis/accounts/docs/OAuth_ref.html#RequestToken
>>
>> Flickr: (called "perm")
>> http://www.flickr.com/services/api/auth.spec.html
>>
>> Yahoo currently requires developers to tell us the scopes that they need
>> when registering for a consumer key. We've received plenty of feedback
>> that
>> developers would rather specify the scope(s) at authorization time, so we
>> would support a multi-valued scope parameter. Space is a reasonable
>> delimiter.
>>
>> Allen
>>
>>
>>
>> On 4/30/10 8:43 AM, "Eran Hammer-Lahav" <eran@hueniverse.com> wrote:
>>
>> >
>> > 3. Space-Delimited Scope Parameter Value
>> >
>> > Define a 'scope' parameter with value of space-delimited strings (which
>> > can
>> > include any character that is not a space - the entire parameter value
>> > is
>> > encoded per the transport rules regardless). Space allows using URIs or
>> > simple
>> > strings as values.
>> >
>> > Pros:
>> >
>> > - A separator-delimited list of values is the common format for scope
>> > parameters in existing implementations and represents actual deployment
>> > experience.
>> > - Most vendors define a set of opaque strings used for requesting scope.
>> > This
>> > enables libraries to concatenate these in a standard way.
>> > - Enables simple extensions in the future for discovering which scope is
>> > required by each resource.
>> >
>> > Cons:
>> >
>> > - Defining a format without a discovery method for the values needs
>> > doesn't
>> > offer much more than the other options.
>> > - Doesn't go far enough to actually achieve interoperability.
>> > - Adds complexity for little value.
>> >
>> >
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>



-- 
http://agree2.com - Reach Agreement!
http://extraeagle.com - Solutions for the electronic Extra Legal world
http://stakeventures.com - Bootstrapping blog