IETF Logo Mail Archive

[OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for Mail, Calendar, and Contact Access

"torsten@lodderstedt.net" <torsten@lodderstedt.net> Sun, 20 July 2025 09:56 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4EE7B4690FF9 for <oauth@mail2.ietf.org>; Sun, 20 Jul 2025 02:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkslJErQGnkx for <oauth@mail2.ietf.org>; Sun, 20 Jul 2025 02:56:27 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 89D324690FE6 for <oauth@ietf.org>; Sun, 20 Jul 2025 02:56:27 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-4561ca74829so38564695e9.0 for <oauth@ietf.org>; Sun, 20 Jul 2025 02:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; t=1753005386; x=1753610186; darn=ietf.org; h=mime-version:subject:references:in-reply-to:message-id:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=Ah9v052vFPb88/rIcEMF77zedFnqBUmAC5oVS/Yhxvk=; b=d9W7NjB/bkyyj3ZrA/YmwB/AIXlH6gG7lrozdkxfnfFcEV89xNhhdmpgCDOk8y0Foo MXdAzAjUi8jUjTr5MDLcDR671BqptVi4xwNmf8Dj6SgZI8QyC2XDm6fc6RVnXMR3PNXr jICPnnRgYflTC8mYNE5NZvJNf/EeG6gHXcdLAsIQlyuqG/e0o9FWEutVT4SQbViwyqyq Vz4Tq379Ap9ctP0tFYhZ+rM3MRcEmwewmdBJzogPBs+ErVl+WuL7W7R0oHAgJTzma1fo PZJ9aNgDilGKq80aPfbZAbZWhWiOlag+59vk3r14VrxyiiZBoA0LvRpoY0+0qWRQEQHk m1OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753005386; x=1753610186; h=mime-version:subject:references:in-reply-to:message-id:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ah9v052vFPb88/rIcEMF77zedFnqBUmAC5oVS/Yhxvk=; b=RKsWfWpAncO6VuBZnWdwJtaLYbUt6L/d0Xbv4F+TN4ee+vxtuUeJRcDxu9fipW5VVd QRn+KDFSEf2255NErQwc4pMEnbcxdXukfCSHOmqZimWc0qCKGUeF4gbafGuTK1FSLtd4 c7HumxpZ/NKvA69rpsOEXeR8lUncLakbvjeGIaw6r5Ts5PvKP3T7Hx7P+96VtueDe/iH OZZuYHg2+YE6hEqabX3J8+HpARZTGEHE7w3JTwrj0thbgf+5MdmWaLJf/AP99/TRa96+ ARJ0Zfo7U3xWrRaTI7E3EslgXvSGSgxJ04ISqtu01p12UO8uJf076H6MpPuKwhQmPU/F sGIQ==
X-Gm-Message-State: AOJu0YzW5feVKVrnFVuPnZPvjkcEXAxMGggCdUVwqEs6+mvumEN+fkGN GlRZKH/F41gDcUIMnw4MD7cAVW5w8miJ+Cb2kbfskUzfN1/KEqpNpd/oO81BJtm+smCX4ocmnIV K/4mZVuLQTg==
X-Gm-Gg: ASbGncvU0hHfLKeVvQxH1nJzLNxp7AJ3CA7GhZP8ZNsCb196MXcDvgqY5/fD6P9u+o9 JwH5aGyWhVE8WM3ROLRKD7KTLpBTd4N9QlDcgQNxqzqKdU/kH2warGLjd/tLkvQvV6j3emtih3E XHE/Fk0/VRjc0V0D3iDkgPRm0teDggMxS0hjriBRuhYDXTg/Pm6GZyC4Y+2bQomLs+UOFtF/pFX O0CgX7FD10ju1O8/uGFeua1WBpdCYEFpqp3fQ4wYr9Vq0aRfC4EE9jiNe5x4kkve8hg0KiWNFO5 Jy2fr+ygaTUfqJaFPLhkGWHWNJtbxoIkdTYrgPIsZTXhHqIRWHv2RtpS966V28iaTfAGSW2/QIT tlIOoI2eUa+xTiXpqc47ZgahOsHQVfeceHFZtyDQgEl//9YFW3Yg03DG8KvzJma5nOHL/1B0TB2 RH/1aX
X-Google-Smtp-Source: AGHT+IGtHbbs4UJXHW8gWDE51lklw8ZlUwcbk8MHCDwDPfWR63ef8+eyextq3mnNwFKDjuaViRePZg==
X-Received: by 2002:a05:600c:1e1b:b0:456:25aa:e9b0 with SMTP id 5b1f17b1804b1-45632814746mr150608435e9.16.1753005386232; Sun, 20 Jul 2025 02:56:26 -0700 (PDT)
Received: from [10.35.153.230] (tmo-069-230.customers.d1-online.com. [80.187.69.230]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4563b5b8475sm68246655e9.12.2025.07.20.02.56.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Jul 2025 02:56:25 -0700 (PDT)
Date: Sun, 20 Jul 2025 12:56:19 +0300
From: "torsten@lodderstedt.net" <torsten@lodderstedt.net>
To: "oauth@ietf.org" <oauth@ietf.org>, "Lombardo, Jeff" <jeffsec=40amazon.com@dmarc.ietf.org>
Message-ID: <cdce8c8c-d20f-41cf-8c1c-9929e6179f39@Spark>
In-Reply-To: <CO1PR18MB4684BC45FBE014EA54D9F1FBD952A@CO1PR18MB4684.namprd18.prod.outlook.com>
References: <CO1PR18MB4684BC45FBE014EA54D9F1FBD952A@CO1PR18MB4684.namprd18.prod.outlook.com>
X-Readdle-Message-ID: cdce8c8c-d20f-41cf-8c1c-9929e6179f39@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="687cbd48_3e500d17_168ce"
Message-ID-Hash: TEGVLJMEVQJQXA5R7W2QWOMZ4MK4PKBG
X-Message-ID-Hash: TEGVLJMEVQJQXA5R7W2QWOMZ4MK4PKBG
X-MailFrom: torsten@lodderstedt.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Standardized OAuth 2.0 Scopes for Mail, Calendar, and Contact Access
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sGhn4Omeo_e9M_2Mua7goLoMpbY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

+1 for using RAR, access to calendars and so on needs context (particular calendar instances, for example). That’s what RAR is designed for.

best regards,
Torsten.
Am 20. Juli 2025, 12:02 +0300 schrieb Lombardo, Jeff <jeffsec=40amazon.com@dmarc.ietf.org>:
> To add to Warren point, it is important to reup feu Vittorio Bertocci blog entry on the nature of OAuth2 scopes that cover exactly this use case: https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
>
> I think this proposal instead of building on top of the `scope` claim should pivot into profiling OAuth 2.0 Rich Authorization Requests (https://datatracker.ietf.org/doc/html/rfc9396)
>
> Jean-François “Jeff” Lombardo | Amazon Web Services
>
> On Sun, Jul 20, 2025 at 08:19 AM Warren Parad <wparad@rhosys.ch> wrote
>
> I have some serious problems with this document:
>
>    - I fundamentally disagree about the scopes defined for mail, calendar,
>    and contact. One of the biggest problems with the scopes today, is the lack
>    of the scope "update/modify/delete BUT only the emails, contacts, and
>    calendar meetings that the app has created". I don't want to give *access
>    to delete all my calendars* just so an app can *create calendar
>    appointments in one calendar*.
>
> For me, scopes for calendar and contacts are already broken by design, and
> this document actually makes it worse. Take the scope
> *urn:ietf:params:oauth:scope:calendar:update:*
>
> >  Grants permission to create, modify, and delete calendars and events on
> > the user's behalf.
>
>
> The creation, modification, and deletion of calendars must be completely
> independent from the creation, modification, and deletion of calendars. And
> most problematically, *as a user*, I would only want to give access to do
> this one calendar at a time. Because of this we really need to define
> resource based syntax inside of OAuth spec to replace the scopes.
>
> In conclusion, this document only sets out to standardize the irresponsible
> behavior of apps utilizing scopes today, cementing the current paradigm
> rather than replacing it with something that actually works correctly.
> Using OAuth scopes alone for this access, is the part that is wrong, not
> that it isn't standardized. In some cases, an incremental approach might
> help get to the perfect solution, but I don't see this document helping to
> make that happen. If it does anything for me, this prevents forward
> progress in preference of keeping exactly what we already have.
>
> On Sun, Jul 20, 2025 at 7:42 AM Clinton Bunch <cdbunch@emeraldgroupware.org>
> wrote:
>
> > I submitted https://datatracker.ietf.org/doc/draft-bunch-groupware-scopes/
> >
> > This is a proposal of standard OAUTH2 scopes to support the loosely
> > coupled world of mail, calendaring, and contacts servers and clients.
> >
> > The current state is that every Authorization Server defines their own
> > scopes for these groupware services, leading client developers to hard
> > code these scopes, which, in practicality, limits them to supporting
> > OAUTH2 authentication for only a dozen or so providers big enough to
> > strong arm them into it.
> >
> > This is the remaining barrier to wide spread deployment of OAUTH2
> > authentication for groupware services.  The other half of the problem,
> > Client Registration, is solved by RFC 7591, OAuth 2.0 Dynamic Client
> > Registration Protocol.
> >
> > With these two pieces in place, Authorization Servers and clients can
> > begin to implement this advanced authorization process.
> >
> > _______________________________________________
> > OAuth mailing list -- oauth@ietf.org
> > To unsubscribe send an email to oauth-leave@ietf.org
> >
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status