IETF Logo Mail Archive

Re: [OAUTH-WG] resource server id needed?

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 29 July 2010 06:34 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F24F3A6915 for <oauth@core3.amsl.com>; Wed, 28 Jul 2010 23:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[AWL=-0.403, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mQJq76Wzeza for <oauth@core3.amsl.com>; Wed, 28 Jul 2010 23:34:16 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.42]) by core3.amsl.com (Postfix) with ESMTP id 569A23A6991 for <oauth@ietf.org>; Wed, 28 Jul 2010 23:32:57 -0700 (PDT)
Received: from dhcp-87ec.meeting.ietf.org ([130.129.135.236] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OeMfx-0000ic-Ot; Thu, 29 Jul 2010 08:33:05 +0200
Message-ID: <4C512095.5050802@lodderstedt.net>
Date: Thu, 29 Jul 2010 08:32:53 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6
MIME-Version: 1.0
To: Eve Maler <eve@xmlgrrl.com>
References: <C8645B85.372D8%eran@hueniverse.com> <4C3F3F6A.5000409@lodderstedt.net> <AANLkTinIjg7MIBmEIUzV9_Uo3MDb0nXvYXJcXNeLTUCe@mail.gmail.com> <4C3F9064.6060604@lodderstedt.net> <4C48C116.9000609@lodderstedt.net> <AANLkTinXGXmtzULpO_x8C+sU6yzC9q+9+YU2=4WikKeE@mail.gmail.com> <4C4FE913.9030508@lodderstedt.net> <EE2B9D7D-8FD2-4EB3-9BD4-1CC8E6B81CA4@xmlgrrl.com>
In-Reply-To: <EE2B9D7D-8FD2-4EB3-9BD4-1CC8E6B81CA4@xmlgrrl.com>
Content-Type: multipart/alternative; boundary="------------080602010009070704030708"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] resource server id needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2010 06:34:26 -0000
X-List-Received-Date: Thu, 29 Jul 2010 06:34:26 -0000
X-List-Received-Date: Thu, 29 Jul 2010 06:34:26 -0000

Eve,

how does UMA plan to address resource servers during the OAuth end-user 
authorization process?

regards,
Torsten.

Am 29.07.2010 02:37, schrieb Eve Maler:
> Belatedly...  Sorry if I sound like a broken record on this, but: Most 
> of UMA's use involve letting a user introduce their various hosts 
> (UMA-flavored resource servers) to their single chosen "authorization 
> manager" (UMA-flavored authorization server), by treating the former 
> as a dynamically introduced OAuth client of the latter. This sounds an 
> awful lot like the question originally posed in this thread. We have 
> exactly the problem of figuring out how the host can tell the AM what 
> resources the AM should be protecting and what can be done to them, 
> which we've begun to solve with what we're calling a "resource 
> registration API" (RRAPI).
>
> (BTW, we're also working on an I-D to submit here that proposes a 
> solution for discovery/dynamic registration that meets our needs. 
> Hoping it can feed into Eran's discovery work.)
>
> Eve
>
> On 28 Jul 2010, at 1:23 AM, Torsten Lodderstedt wrote:
>
>> thanks for sharing your thoughts.
>>
>> Differentiating resource servers by using different end-user 
>> authorization endpoint URLs is an option. I dont't know how this will 
>> work in conjunction with discovery, especially since this 
>> differentiation might by required on other endpoints, too. For 
>> example, if a client wants to obtain an access token for the 
>> end-user's credentials, it has to identify the resource server also 
>> on the tokens endpoint. There might be additional endpoint for other 
>> flows with similar requirements, e.g. the device flow.
>>
>> Based on your proposal, a derived solution could be to define a 
>> standard parameter "resourceserver" and to state how clients should 
>> use this parameter on the different endpoints. On the coding level, 
>> there would be no difference to your proposal :-) But the client 
>> would be able to construct such a URL on its own.
>>
>> Authorizing access for different resource servers is indeed an issue 
>> for me. How would you propose to add the namespace? Shall the scope 
>> obtained from the resource server already contain such a namespace 
>> are shall there be a rule to construct such namespaced-ed scopes in 
>> the spec?
>>
>> regards,
>> Torsten.
>>
>> Am 25.07.2010 19:11, schrieb Andrew Arnott:
>>> It seems to me that if one auth server can create tokens for a 
>>> diverse set of resource servers, then why not have different user 
>>> authorization endpoint URLs for each type of resource server, as an 
>>> added differentiator for the scope (a namespace, if you will)?
>>>
>>> So suppose one auth server serves two different photo services, both 
>>> using overlapping scopes such that a client requesting access of 
>>> some scope is otherwise ambiguous between which resource server the 
>>> client needs access to.  The auth server that serves both resource 
>>> servers could have two end user authorization endpoints:
>>> http://auth.server.org/authorize?resourceserver=1
>>> http://auth.server.org/authorize?resourceserver=2
>>>
>>> And that way the auth server knows exactly what the client needs.
>>>
>>> The only scenario this doesn't allow for is for a user to authorize 
>>> a client's access to /both/ resource servers in one redirect.  If 
>>> this were an issue, perhaps you can apply a namespace-like prefix to 
>>> each scope substring:
>>>
>>> rs1:photo:read rs2:photo:read
>>>
>>> Which would serve a similar purpose.
>>>
>>> --
>>> Andrew Arnott
>>> "I [may] not agree with what you have to say, but I'll defend to the 
>>> death your right to say it." - S. G. Tallentyre
>>>
>>>
>>> On Thu, Jul 22, 2010 at 3:07 PM, Torsten Lodderstedt 
>>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>>
>>>     no one else in the group having an opinion on this topic?
>>>
>>>
>>>
>>>         Am 15.07.2010 20:14, schrieb Marius Scurtescu:
>>>
>>>             On Thu, Jul 15, 2010 at 10:03 AM, Torsten Lodderstedt
>>>             <torsten@lodderstedt.net
>>>             <mailto:torsten@lodderstedt.net>>  wrote:
>>>
>>>                 As I have written in my reply to Marius's posting.
>>>                 I'm fine with including
>>>                 server ids in scopes. But this requires a definition
>>>                 of the scope's syntax
>>>                 and semantics in the spec. Otherwise, scope
>>>                 interpretation (and server
>>>                 identification) will be deployment specific.
>>>
>>>             Sure, it is deployment specific, but why is that an issue?
>>>
>>>             In your case, the authz server and all the resource
>>>             servers are
>>>             managed by the same organization, right?
>>>
>>>             Do clients need to be aware of the actual resource server?
>>>
>>>             You can probably create a separate spec that defines
>>>             scope syntax for
>>>             this purpose, if really needed. Does it have to be in core?
>>>
>>>             Marius
>>>
>>>
>>>         Solving the challenge I described in a deployment specific
>>>         way is not an issue. But the consequence is that authz
>>>         server, resource servers and clients are tight together.
>>>
>>>         Let me ask you one question: Why are we working together
>>>         towards a standard protocol? I can tell you my expectations:
>>>         I hope there will be broad support not only by libraries,
>>>         but also by ready-to-use services and clients, so we could
>>>         integrate such services into our deployment easily.
>>>         Moreover, I would like to see OAuth to be included in
>>>         application/service protocols like PortableContacts, SIP,
>>>         WebDAV, IMAP, ...
>>>
>>>         So what if I would like to use standard clients to access
>>>         our services? Using scopes for specifying resource server
>>>         id's in this case is also simple - if you take an isolated
>>>         view. But since scopes may be used to specifiy a lot of
>>>         other things, like resources, permissions, and durations,
>>>         handling w/o a more detailed spec will in practice be
>>>         impossible.
>>>
>>>         Suppose a WebDAV service for media data access. Any WebDAV
>>>         client knows the WebDAV protocol (== interface), e.g. the
>>>         supported methods (GET, PUT, POST, DELETE, COPY, MOVE) and
>>>         how to traverse directories. So it is sufficient to
>>>         configure the client with the URL of my personal web
>>>         storage. To start with let's assume, scopes are used to
>>>         designate resource servers only. So the server's scope could
>>>         be "webstorage".
>>>
>>>            WWW-Authenticate OAuth realm='webstorage' scope="webstorage"
>>>
>>>         The client could just pass this parameter to the authz
>>>         server and everything is fine.
>>>
>>>         On the next level, let's assume the (future) WebDAV standard
>>>         with OAuth-support uses one permission per method type. So
>>>         the full scope could be as follows:
>>>
>>>            WWW-Authenticate OAuth realm='webstorage'
>>>         scope="webstorage:GET webstorage:PUT webstorage:POST
>>>         webstorage:DELETE webstorage:COPY webstorage:MOVE"
>>>
>>>         Passing this scope w/o any unmodified to the authz server is
>>>         not an issue. But this implies the client asks for full
>>>         access to the users media storage. Since our client is a
>>>         gallery application, it requires the "GET" permission only.
>>>         How does the client know which of the scope values to pick
>>>         for the end-user authorization process? It must somehow
>>>         select "webstorage:GET".
>>>
>>>         But how?
>>>
>>>         In my personal opinion, clients should be enabled to
>>>         interpret, combine and even create scopes. And yes, this
>>>         should go to the core of the spec.
>>>
>>>         regards,
>>>         Torsten.
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Eve Maler
> http://www.xmlgrrl.com/blog
> http://www.twitter.com/xmlgrrl
> http://www.linkedin.com/in/evemaler
>

v2.35.0 | Report a Bug | By Email | System Status