IETF Logo Mail Archive

Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

George Fletcher <gffletch@aol.com> Wed, 27 January 2016 16:47 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0FC1A8F4C for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:47:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCgzucuGvatW for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:47:51 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70E61A885B for <oauth@ietf.org>; Wed, 27 Jan 2016 08:47:51 -0800 (PST)
Received: from mtaout-mad01.mx.aol.com (mtaout-mad01.mx.aol.com [172.26.221.205]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id 4FF2638007B7; Wed, 27 Jan 2016 11:47:40 -0500 (EST)
Received: from [10.172.102.147] (unknown [10.172.102.147]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mad01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 0099038000C66; Wed, 27 Jan 2016 11:43:17 -0500 (EST)
To: Thomas Broyer <t.broyer@gmail.com>, Sergey Beryozkin <sberyozkin@gmail.com>, Justin Richer <jricher@mit.edu>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com> <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com> <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com> <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com> <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com> <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A8F3A5.8060002@aol.com>
Date: Wed, 27 Jan 2016 11:43:17 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040607060106050503050807"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453912998; bh=/03RVDCelRl11RanqeaOySrbCSaraKE2p9wVFQnZTLg=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=aMTtj2nOEGL1XmJOlqX01EmluOsKcen+WRhr8JOlqZ6Byy2Rdx2VeshVpvVcdbioT NFda+yCmJ737KTeEmoveLi5ggSC1/3QNNTXqnhUFCQxQYYMMVjr3zFN/zk8kpgbmzc nVmdXypn1zL67nyE7S6Sw6Im93lXoQLwBtXX0H0s=
x-aol-sid: 3039ac1addcd56a8f3a57fb5
X-AOL-IP: 10.172.102.147
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/sJekQ-1DP3buj5h3uAeaxGzV63E>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 16:47:54 -0000

Yes, I was thinking mostly of "native apps"... though you bring up a 
good point. It would be great if "installable" web apps could do dynamic 
client registration:)  I suppose for a "public" client that is loaded 
onto a device, the "installation" process could obtain a new client_id 
for that instance. Cookies might work, or have the app generate a unique 
identifier and use that in conjunction with the client_id?

Thanks,
George

On 1/27/16 11:07 AM, Thomas Broyer wrote:
>
>
> On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>     The difference might be whether you want to store the scope
>     consent by client "instance" vs client_id application "class".
>
>
> Correct me if I'm wrong but this only makes sense for "native apps", 
> not for web apps, right?
> (of course, now with "installable web apps" –e.g. progressive web 
> apps–, lines get blurry; any suggestion how you'd do it then? cookies?)

-- 
Chief Architect
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.23.0 | Report a Bug | By Email