Re: [OAUTH-WG] Scope - Coming to a Consensus
Pelle Braendgaard <pelle@stakeventures.com> Fri, 30 April 2010 21:13 UTC
Return-Path: <pelleb@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6AD73A6C31 for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 14:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.283
X-Spam-Level:
X-Spam-Status: No, score=-0.283 tagged_above=-999 required=5 tests=[AWL=-0.395, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_62=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id En7ONNBuDQYG for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 14:13:39 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id A401B3A6C23 for <oauth@ietf.org>; Fri, 30 Apr 2010 14:13:37 -0700 (PDT)
Received: by fxm4 with SMTP id 4so623848fxm.31 for <oauth@ietf.org>; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=wa0F1uSoTpRDH/GyOf1bcZNsUCrJbCDHxHp9dQei0D4=; b=PZuPtjNuWolACwd5KtwxX3HmceOVEV1NGjwnnQSkJ0aQO1yp6Se1yz1m9EHt7GK9NZ 1WO/YHBDBoH5VfNO706beY81wsulehNGVtTxhuPIPYSAwH+t9YyH1Wbk/XBS9ayZPoa0 4OOFhhmd/ZzbdrooJ2vHNqUFBb2g7UNxYQi3k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=Kv8U/uGD92hfmbmLYBDU5kqT1Qeje0r/NsyVKppLwMXx/NLdMEkiUSJjVRmV1y7E5x F6N89kf14WQWIw351YekNPc2aO7kZPeXQEdjcXlb/77P5dlAH6dodKcaob3qE+UmoMPz YXHHetwcBDjF+8cdH7+hOsmczcVP4ibnO3wxE=
MIME-Version: 1.0
Received: by 10.223.5.81 with SMTP id 17mr1673042fau.42.1272662000386; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
Sender: pelleb@gmail.com
Received: by 10.223.111.205 with HTTP; Fri, 30 Apr 2010 14:13:20 -0700 (PDT)
In-Reply-To: <m2tc334d54e1004301352zf2a7f1cbi3fc90525ffddbf8@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723439321772EF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C80078D0.2D681%atom@yahoo-inc.com> <m2tc334d54e1004301352zf2a7f1cbi3fc90525ffddbf8@mail.gmail.com>
Date: Fri, 30 Apr 2010 17:13:20 -0400
X-Google-Sender-Auth: f4473478c09935e8
Message-ID: <m2jce1325031004301413x6f4b3341h5e8844311d109a79@mail.gmail.com>
From: Pelle Braendgaard <pelle@stakeventures.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [OAUTH-WG] Scope - Coming to a Consensus
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 21:13:41 -0000
+1 for #3 Since google implemented I always thought it an elegant simple way of requesting access. On Fri, Apr 30, 2010 at 4:52 PM, Joseph Smarr <jsmarr@gmail.com> wrote: > I also vote for #3. I think our field experience has shown that a) lack of a > standard place to stick scope info in access token requests leads to > per-provider inconsistencies that further complicate libraries, b) lots of > providers do want to offer scoped access tokens (and show the list of scopes > being requested on consent UI), and c) we're likely to want to have some > cross-vendor standard scopes (e.g. "access profile data", PoCo, "post > activities", etc.) so it's natural to express those as URIs, thus favoring > space-delimited scope values. > Thanks,js > > On Fri, Apr 30, 2010 at 12:08 PM, Allen Tom <atom@yahoo-inc.com> wrote: >> >> I vote for #3 >> >> There are already plenty of implementations that use a scope parameter: >> >> Facebook: >> http://developers.facebook.com/docs/authentication/ >> >> Google: >> http://code.google.com/apis/accounts/docs/OAuth_ref.html#RequestToken >> >> Flickr: (called "perm") >> http://www.flickr.com/services/api/auth.spec.html >> >> Yahoo currently requires developers to tell us the scopes that they need >> when registering for a consumer key. We've received plenty of feedback >> that >> developers would rather specify the scope(s) at authorization time, so we >> would support a multi-valued scope parameter. Space is a reasonable >> delimiter. >> >> Allen >> >> >> >> On 4/30/10 8:43 AM, "Eran Hammer-Lahav" <eran@hueniverse.com> wrote: >> >> > >> > 3. Space-Delimited Scope Parameter Value >> > >> > Define a 'scope' parameter with value of space-delimited strings (which >> > can >> > include any character that is not a space - the entire parameter value >> > is >> > encoded per the transport rules regardless). Space allows using URIs or >> > simple >> > strings as values. >> > >> > Pros: >> > >> > - A separator-delimited list of values is the common format for scope >> > parameters in existing implementations and represents actual deployment >> > experience. >> > - Most vendors define a set of opaque strings used for requesting scope. >> > This >> > enables libraries to concatenate these in a standard way. >> > - Enables simple extensions in the future for discovering which scope is >> > required by each resource. >> > >> > Cons: >> > >> > - Defining a format without a discovery method for the values needs >> > doesn't >> > offer much more than the other options. >> > - Doesn't go far enough to actually achieve interoperability. >> > - Adds complexity for little value. >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- http://agree2.com - Reach Agreement! http://extraeagle.com - Solutions for the electronic Extra Legal world http://stakeventures.com - Bootstrapping blog
- [OAUTH-WG] Scope - Coming to a Consensus Eran Hammer-Lahav
- Re: [OAUTH-WG] Scope - Coming to a Consensus Torsten Lodderstedt
- Re: [OAUTH-WG] Scope - Coming to a Consensus Allen Tom
- Re: [OAUTH-WG] Scope - Coming to a Consensus Joseph Smarr
- Re: [OAUTH-WG] Scope - Coming to a Consensus Pelle Braendgaard
- Re: [OAUTH-WG] Scope - Coming to a Consensus Justin Smith
- Re: [OAUTH-WG] Scope - Coming to a Consensus Marius Scurtescu
- Re: [OAUTH-WG] Scope - Coming to a Consensus Marius Scurtescu
- Re: [OAUTH-WG] Scope - Coming to a Consensus Torsten Lodderstedt
- Re: [OAUTH-WG] Scope - Coming to a Consensus Eve Maler
- Re: [OAUTH-WG] Scope - Coming to a Consensus Luke Shepard
- Re: [OAUTH-WG] Scope - Coming to a Consensus Dick Hardt
- Re: [OAUTH-WG] Scope - Coming to a Consensus Manger, James H
- Re: [OAUTH-WG] Permissions (Scope - Coming to a C… Manger, James H
- Re: [OAUTH-WG] Permissions (Scope - Coming to a C… Allen Tom
- Re: [OAUTH-WG] Scope - Coming to a Consensus Evan Gilbert
- Re: [OAUTH-WG] Scope - Coming to a Consensus Mark Mcgloin
- Re: [OAUTH-WG] Scope - Coming to a Consensus Eran Hammer-Lahav