IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: Scope Values

Tim Bray <twbray@google.com> Thu, 18 April 2013 15:36 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0290E21F8F76 for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2013 08:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yc6rF++CFrii for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2013 08:36:36 -0700 (PDT)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id C34BC21F8F6D for <oauth@ietf.org>; Thu, 18 Apr 2013 08:36:35 -0700 (PDT)
Received: by mail-ie0-f178.google.com with SMTP id aq17so2058522iec.9 for <oauth@ietf.org>; Thu, 18 Apr 2013 08:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=0MvnHXcw+XQ1Ulyts8sAAm8FRZmJz2xZ8tbxL80/MAI=; b=XOk+FgwWCUQEwiuXO1ktcCvaJVe6BKEkUv7qHC9NiWj43Fh7Z3tAVfZNQqJMIzHlA7 r2XHDaQPfkfdWnJNYfTI7A2UChowcrZ3Ai5d5nnElA6dXKBgbCWoV4rTpgRIfj/ORuvM PqcVaH2xnPOP6V7Wx7b200JDe51QwK5Ce7NRbs4/UpidQjODTNG9qhEt5XQ/CPM4GEa6 Nhhq9HtIb/nS/KHb/Fc4DGiLpAJZz3HnOUg2277miwWInSLNGTwGt9pPrinJSqkB/lnE PDND2TP6V/EAiybKzHo93SqGlz5Xx2534xI911s5qw5qLY6kkynxv6iJeQbQyubxjD9u 5zuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=0MvnHXcw+XQ1Ulyts8sAAm8FRZmJz2xZ8tbxL80/MAI=; b=eUa6GiYMXqXG0PHK/DpMQqJ748sNMLjmJYFzbwQ4uf4WlMZJMIZnAiWwhxc8Gc1blW D0GxOmT0hpfaGRND8ED8m3aVVZJbjZ48389By5oM+rk2OkRwfzMGb4+aJ3GwWYk6TkGD GEEhUoZg+Ng1LGPUKAJk543faTeDIOrk5suiaoKcJ8Hv89HcEfGGmsaRGIpHZUinsC65 54m6G1tgklhp04KFDz7v1yT9yx+9V4sIRmbmK/qP+IOpn//DidX1ikVpXcEQDrF9QQ3U PiokPFKwJowI/HhDyasJGJxfvUsnFsHTlNwRCGkkrgySsmjM/AobF3wIpJ1PCXSNwoqY nlXQ==
X-Received: by 10.50.72.83 with SMTP id b19mr130410igv.71.1366299395302; Thu, 18 Apr 2013 08:36:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.31.35 with HTTP; Thu, 18 Apr 2013 08:36:04 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436766BCC4@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <255B9BB34FB7D647A506DC292726F6E1150C74DADA@WSMSG3153V.srv.dir.telstra.com> <516C069F.9090308@mitre.org> <CA+ZpN26NJj7T8V0WYNnVi2O1EhwKqDbk3zBcJoNkgk5PM6N5+Q@mail.gmail.com> <516C0B9D.6000402@mitre.org> <CA+ZpN27UCw=MpD+CPGTEaGFaQe5qFJm00jRVeW5FuB0MAk8D0A@mail.gmail.com> <516C101F.2090706@mitre.org> <CA+ZpN27KNr0TLsAjt29PCQXqfFYkzP7Fr7y_2wibHfVu3R=UMA@mail.gmail.com> <516C1714.8070503@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641A87@TK5EX14MBXC283.redmond.corp.microsoft.com> <516C3152.9070603@mitre.org> <4E1F6AAD24975D4BA5B168042967394367641FAB@TK5EX14MBXC283.redmond.corp.microsoft.com> <516C54F2.8040708@mitre.org> <4E1F6AAD24975D4BA5B16804296739436766BCC4@TK5EX14MBXC284.redmond.corp.microsoft.com>
From: Tim Bray <twbray@google.com>
Date: Thu, 18 Apr 2013 08:36:04 -0700
Message-ID: <CA+ZpN248faS0Vfa=yCft-RpGxHjs9jFv+VPP2Rw6AWzxhH617A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="047d7bdc19d41d92e404daa45ec8"
X-Gm-Message-State: ALoCoQleO9aD4fFN20Bk3egyizImdUy5SwUI57KjdMAp2o0HsfyqWC/KbhWGR68QqZFxLKDOg8cKlY0zyEEFMtSb3UcVXJvuy+MMHhp7gV4LC782pEJNq9lizha+dFxhXMv/XAKFEElzYu//Tzvk9aDyFg+J4P4vpy2Tg82CbsJrasuksghpYJCqNZ7BrtAEqKHiEQtgqT/h
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: Scope Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 15:36:38 -0000

On the server-to-client side, what does “registered to use” mean?  Does it
mean that the client should assume that any scopes not on the list WILL not
be granted, MAY not be granted.... or what?  Is this already covered
elsewhere? -T


On Thu, Apr 18, 2013 at 8:28 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  Thanks, Justin.  I agree with the need for the generic two-sided
> language.  I’d still keep this language for scope, because we want to
> capture the “declaring” aspect in this case:****
>
> ** **
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring to the server that it may use when requesting access
> tokens and that the server is declaring to the client that it is registered
> to use when requesting access tokens.”.****
>
> ** **
>
> You should probably also reinforce that scope values are service-specific
> and may not consist only of a static set of string values, and that
> therefore, in some cases, an exhaustive list of registered scope values is
> not possible.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Monday, April 15, 2013 12:29 PM
>
> *To:* Mike Jones
> *Cc:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ** **
>
> I think that because the "declaration" issue affects all parameters in the
> list, not just scope, we should adopt this in a higher level paragraph and
> leave it out of the individual parameter descriptions. Thus, something like
> this inserted as the second paragraph in section 2:****
>
> The client metadata values serve two parallel purposes in the overall
> OAuth Dynamic Registration protocol:
>
>  - the Client requesting its desired values for each parameter to the
> Authorization Server in a [register] or [update] request,
>  - the Authorization Server informing the Client of the current values of
> each parameter that the Client has been registered to use through a [client
> information response].
>
> An Authorization Server MAY override any value that a Client requests
> during the registration process (including any omitted values) and replace
> the requested value with a default. The normative indications in the
> following list apply to the Client's declaration of its desired values.
>
> The Authorization Server SHOULD provide documentation for any fields that
> it requires to be filled in by the client or to have particular values or
> formats. Extensions and profiles...****
>
>
> And then remove the sidedness-language from the scope parameter and any
> other parameters where it might have crept in inadvertently.
>
>  -- Justin****
>
> On 04/15/2013 01:29 PM, Mike Jones wrote:****
>
> We could fix the one-sided language by changing****
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring that it may use when requesting access tokens.”****
>
> to****
>
> “Space separated list of scope values (as described in OAuth 2.0 Section 3.3
> [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the
> client is declaring to the server that it may use when requesting access
> tokens and that the server is declaring to the client that it is registered
> to use when requesting access tokens.”.****
>
>  ****
>
> Again, I chose the “registered to use” language carefully – because in the
> general case it’s not a restriction on the values that the client can use –
> just a statement by the server to the client that it is registered to use
> those particular values.  In both cases, the parties are making
> declarations to one another.****
>
>  ****
>
> If you adopt that language (or keep the original language), then yes, I’d
> consider this closed.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* Justin Richer [mailto:jricher@mitre.org <jricher@mitre.org>]
> *Sent:* Monday, April 15, 2013 9:57 AM
> *To:* Mike Jones
> *Cc:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> I absolutely do not want to delete this feature, as (having implemented
> it) I think it's very useful. This is a very established pattern in manual
> registration: I know of many, many OAuth2 servers and clients that are set
> up where the client must pre-register a set of scopes.
>
> I don't like the language of "the client is declaring" because it's too
> one-sided. The client might not have declared anything, and it might be the
> server that's declaring something to the client. Deleting the "is
> declaring" bit removes that unintended restriction of the language while
> keeping the original meaning intact. I actually thought that I had fixed
> that before the last draft went in but apparently I missed this one.
>
> I will work on clarifying the intent of the whole metadata set in its
> introductory paragraph(s) so that it's clear that all of these fields are
> used in both of these situations:
>
>  1) The client declaring to the server its desire to use a particular value
>  2) The server declaring to the client that it has been registered with a
> particular value
>
> This should hopefully clear up the issue in the editor's note that I
> currently have at the top of that section right now, too.
>
> Mike, since you were the one who originally brought up the issue, and
> you're fine with the existing text, can I take this as closed now? Assuming
> that you agree with deleting "is declaring" for reasons stated above, I'm
> fine with leaving everything else as is and staying quiet on what the
> server has to do with the scopes.
>
>  -- Justin
>
>
> ****
>
> On 04/15/2013 12:44 PM, Mike Jones wrote:****
>
> I think that the existing wording is superior to the proposed changed
> wording.  The existing wording is:****
>
>  ****
>
>    scope****
>
>       OPTIONAL.  Space separated list of scope values (as described in****
>
>       OAuth 2.0 Section 3.3 [RFC6749]<http://tools.ietf.org/html/rfc6749#section-3.3>)
> that the client is declaring that****
>
>       it may use when requesting access tokens.  If omitted, an****
>
>       Authorization Server MAY register a Client with a default set of****
>
>       scopes.****
>
>  ****
>
> For instance, the current “client is declaring” wording will always be
> correct, whereas as the change to “client can use” wording implies a
> restriction on client behavior that is not always applicable.  The “client
> is declaring” wording was specific and purposefully chosen, and I think
> should be retained.  In particular, we can’t do anything that implies that
> only the registered scopes values can be used.  At the OAuth spec level,
> this is a hint as to possible future client behavior – not a restriction on
> future client behavior.****
>
>  ****
>
> Also, for the reasons that Tim stated, I’m strongly against any “matching”
> or “regex” language in the spec pertaining to scopes – as it’s not
> actionable.****
>
>  ****
>
> So I’d propose that we leave the existing scope wording in place.
> Alternatively, I’d also be fine with deleting this feature entirely, as I
> don’t think it’s useful in the general case.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>]
> *On Behalf Of *Justin Richer
> *Sent:* Monday, April 15, 2013 8:05 AM
> *To:* Tim Bray; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Registration: Scope Values****
>
>  ****
>
> On 04/15/2013 10:52 AM, Tim Bray wrote:
>
>
>
> ****
>
> I’d use the existing wording; it’s perfectly clear.  Failing that, if
> there’s strong demand for registration of structured scopes, bless the use
> of regexes, either PCREs or some careful subset.****
>
>
> Thanks for the feedback -- Of these two choices, I'd rather leave it
> as-is.
>
>
>
>
> ****
>
>  ****
>
> However, I’d subtract the sentence “If omitted, an Authorization Server
> MAY register a Client with a default set of  scopes.”  It adds no value; if
> the client doesn’t declare scopes, the client doesn’t declare scopes,
> that’s all.  -T****
>
>
> Remember, all of these fields aren't just for the client *request*,
> they're also for the server's *response* to either a POST, PUT, or GET
> request. (I didn't realize it, but perhaps the wording as stated right now
> doesn't make that clear -- I need to fix that.) The value that it adds is
> if the client doesn't ask for any particular scopes, the server can still
> assign it scopes and the client can do something smart with that. Dumb
> clients are allowed to ignore it if it doesn't mean anything to them.
>
> This is how our server implementation actually works right now. If the
> client doesn't ask for anything specific at registration, the server hands
> it a bag of "default" scopes. Same thing happens at auth time -- if the
> client doesn't ask for any particular scopes, the server hands it all of
> its registered scopes as a default. Granted, on our server, scopes are just
> simple strings right now, so they get compared at the auth endpoint with an
> exact string-match metric and set-based logic.
>
>  -- Justin
>
>
>
>
> ****
>
>  ****
>
> On Mon, Apr 15, 2013 at 7:35 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> What would you suggest for wording here, then? Keeping in mind that we
> cannot (and don't want to) prohibit expression-based scopes.
>
>  -- Justin ****
>
>  ****
>
> On 04/15/2013 10:33 AM, Tim Bray wrote:****
>
>  No, I mean it’s not interoperable at the software-developer level.  I
> can’t register scopes at authorization time with any predictable effect
> that I can write code to support, either client or server side, without
> out-of-line non-interoperable knowledge about the behavior of the server.
> ****
>
>  ****
>
> I guess I’m just not used to OAuth’s culture of having no expectation that
> things will be specified tightly enough that I can write code to implement
> as specified.  -T****
>
>  ****
>
> On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jricher@mitre.org> wrote:*
> ***
>
> Scopes aren't meant to be interoperable between services since they're
> necessarily API-specific. The only interoperable bit is that there's *some*
> place to put the values and that it's expressed as a bag of space-separated
> strings. How those strings get interpreted and enforced (which is really
> what's at stake here) is up to the AS and PR (or a higher-level protocol
> like UMA).
>
>  -- Justin ****
>
>  ****
>
> On 04/15/2013 10:13 AM, Tim Bray wrote:****
>
> This, as written, has zero interoperability.  I think this feature can
> really only be made useful in the case where scopes are fixed strings.****
>
> -T****
>
> On Apr 15, 2013 6:54 AM, "Justin Richer" <jricher@mitre.org> wrote:****
>
> You are correct that the idea behind the "scope" parameter at registration
> is a constraint on authorization-time scopes that are made available. It's
> both a means for the client to request a set of valid scopes and for the
> server to provision (and echo back to the client) a set of valid scopes.
>
> I *really* don't want to try to define a matching language for scope
> expressions. For that to work, all servers would need to be able to process
> the regular expressions for all clients, even if the servers themselves
> only support simple-string scope values. Any regular expression syntax we
> pick here is guaranteed to be incompatible with something, and I think the
> complexity doesn't buy much. Also, I think you suddenly have a potential
> security issue if you have a bad regex in place on either end.
>
> As it stands today, the server can interpret the incoming registration
> scopes and enforce them however it wants to. The real trick comes not from
> assigning the values to a particular client but to enforcing them, and I
> think that's always going to be service-specific. We're just not as clear
> on that as we could be.
>
> After looking over everyone's comments so far, I'd like to propose the
> following text for that section:
>
>
>
> ****
>
>    scope****
>
>       OPTIONAL.  Space separated list of scope values (as described in****
>
>       OAuth 2.0 Section 3.3 [RFC6749] <http://tools.ietf.org/html/rfc6749#section-3.3>) that the client can use when ****
>
>       requesting access tokens.  As scope values are service-specific, ****
>
>       the Authorization Server MAY define its own matching rules when****
>
>       determining if a scope value used during an authorization request****
>
>       is valid according to the scope values assigned during ****
>
>       registration. Possible matching rules include wildcard patterns,****
>
>       regular expressions, or exactly matching the string. If omitted, ****
>
>       an Authorization Server MAY register a Client with a default ****
>
>       set of scopes.****
>
>
> Comments? Improvements?
>
>  -- Justin
>
>
>
> ****
>
> On 04/14/2013 08:23 PM, Manger, James H wrote:****
>
> Presumably at app registration time any scope specification is really a constraint on the scope values that can be requested in an authorization flow.****
>
>  ****
>
> So ideally registration should accept rules for matching scopes, as opposed to actual scope values.****
>
>  ****
>
> You can try to use scope values as their own matching rules. That is fine for a small set of "static" scopes. It starts to fail when there are a large number of scopes, or scopes that can include parameters (resource paths? email addresses?). You can try to patch those failures by allowing services to define service-specific special "wildcard" scope values that can only be used during registration (eg "read:*").****
>
>  ****
>
> Alternatively, replace 'scope' in registration with 'scope_regex' that holds a regular expression that all scope values in an authorization flow must match.****
>
>  ****
>
> --****
>
> James Manger****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>   ****
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>  ****
>
>  ****
>
>  ****
>
>  ****
>
>  ****
>
>  ****
>
> ** **
>

v2.23.0 | Report a Bug | By Email