Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax

"Donald F Coffin" <> Mon, 04 February 2013 18:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C11121F87E1 for <>; Mon, 4 Feb 2013 10:55:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.239
X-Spam-Status: No, score=-1.239 tagged_above=-999 required=5 tests=[AWL=1.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sweb1KHxfdwZ for <>; Mon, 4 Feb 2013 10:55:56 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 8D99221F8783 for <>; Mon, 4 Feb 2013 10:55:51 -0800 (PST)
Received: (qmail 30804 invoked by uid 0); 4 Feb 2013 18:55:29 -0000
Received: from unknown (HELO ( by with SMTP; 4 Feb 2013 18:55:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:Cc:To:From; bh=Xk+Rfvp0/TlTV3/eHzHLx20/OfV4o/azZRlUfWOPz8c=; b=lVBqqqOT156Os2U7kgU1WXhrYG48jTdJ3b2ZhSOVZrl8PVGQMqTaEI1HM4WEu7hf4tei9TPVI66h1dwDxV9NQRN7+SFx+Ex0vBBhwVeEztsliUiHaBKtpn8hyT4hFGCk;
Received: from [] (port=2827 helo=HPPavilionElite) by with esmtpa (Exim 4.80) (envelope-from <>) id 1U2RCT-0007c0-3F; Mon, 04 Feb 2013 11:55:29 -0700
From: Donald F Coffin <>
To: "'Richer, Justin P.'" <>, 'Todd W Lainhart' <>
References: <> <> <> <> <B33BFB58CCC8BE4998958016839DE27E06885FEC@IMCMBX01.MITRE.ORG>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27E06885FEC@IMCMBX01.MITRE.ORG>
Date: Mon, 04 Feb 2013 10:54:57 -0800
Message-ID: <00e101ce0309$21303700$6390a500$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00E2_01CE02C6.130FB620"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHayEWWF0dQwkH9jF/aixGg/SYQlwGIUUn7AY7uQ+oB5ewA+wEpjK7xmB8nlqA=
Content-Language: en-us
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: John Adkins <>, Marty Burns <>, Scott Crowder <>, Dave Robin <>, John Teeter <>,, Edward Denson <>, Uday Verma <>, Ray Perlner <>, Anne Hendry <>, Lynne Rodoni <>, 'IETF oauth WG' <>
Subject: Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2013 18:55:59 -0000



I am involved with the OpenESPI and OpenADE Task Force within the Smart Grid
Interoperability Panel (SGIP) which was established to engage stakeholders
from the Smart Grid Community in a participatory public process to identify
applicable standards, gaps in currently available standards, and priorities
for new standardization activities for the evolving Smart Grid. The SGIP
supports the National Institute of Standards and Technology (NIST) in
fulfilling its responsibilities under the 2007 Energy Independence and
Security Act.  My particular function is to chair the OpenESPI OAuth
sub-committee which is chartered with the integration of the OAuth 2.0
Protocol and the ESPI Standard.


Since OAuth 2.0 (RFC6749) has already established "scope" is a
space-separated string, it will be very confusing to implementers to no
define "scope" as a JSON array.  While a JSON array may be what the current
space-separated string is converted into when the application is written
using Java or one of its variants, there are other programming languages
that implementers may select to use.  Having to deal with two methods of
handling a "scope" response will require additional logic and merely
complicate the coding task.


Additional OAuth 2.0 specifications should not redefine data elements that
are already defined by RFC6749. Implementers should be able to rely on data
element definitions within RFC6749 being persistent throughout the OAuth
protocol framework.  If the OAuth introspective WG feels "scope" should be a
JSON array, then the WG should define a new data element rather than
changing the definition of an existing data element already defined by


Best regards,


Donald F. Coffin



REMI Networks

22751 El Prado Suite 6216

Rancho Santa Margarita, CA  92688-3836


Phone:      (949) 636-8571

Email:        <>


From: Richer, Justin P. [] 
Sent: Monday, February 04, 2013 8:24 AM
To: Todd W Lainhart
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope syntax


I got the same reading of the list as you, and I could go either way. I
believe we absolutely must pick one or the other though. 


If anyone has thoughts on the matter one way or the other, please speak up.
The options are:


1) scopes are returned as a JSON array (current introspection text)

2) scopes are returned as a space-separated string (rfc6749 format for the
"scope" parameter)



 -- Justin



On Feb 4, 2013, at 10:06 AM, Todd W Lainhart <>


Has there been any thinking or movement as to whether the scopes syntax
stands as is, or aligns with 6749?  Of the folks who chose to respond, it
seemed like the position was split.


From:        Justin Richer <> 
To:        Todd W Lainhart/Lexington/IBM@IBMUS, 
Cc:        IETF oauth WG <> 
Date:        01/30/2013 05:34 PM 
Subject:        Re: [OAUTH-WG] draft-richer-oauth-introspection-01 scope


I should add that this is also a bit of an artifact of our implementation.
Internally, we parse and store scopes as collections of discrete strings and
process them that way. So serialization of that value naturally fell to a
JSON list.

-- Justin

On 01/30/2013 05:29 PM, Justin Richer wrote: 
It's not meant to follow the same syntax. Instead, it's making use of the
JSON object structure to avoid additional parsing of the values on the
client side.

We could fairly easily define it as the same space-delimited string if
enough people want to keep the scope format consistent.

-- Justin

On 01/30/2013 05:27 PM, Todd W Lainhart wrote: 
That the scope syntax in draft-richer-oauth-introspection-01 is different
than RFC 6749 Section 3.3, as in: 

  "scope": ["read", "write", "dolphin"], 


 scope = scope-token *( SP scope-token )
    scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) 

Should introspection-01 follow the 6749 syntax for scopes?


OAuth mailing list

OAuth mailing list