Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request

Eran Hammer <eran@hueniverse.com> Mon, 13 February 2012 16:43 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA3CD21F8508 for <oauth@ietfa.amsl.com>; Mon, 13 Feb 2012 08:43:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.504
X-Spam-Level:
X-Spam-Status: No, score=-2.504 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hb2c6p1ggqMs for <oauth@ietfa.amsl.com>; Mon, 13 Feb 2012 08:43:08 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 2FE3821F8504 for <oauth@ietf.org>; Mon, 13 Feb 2012 08:43:08 -0800 (PST)
Received: (qmail 15185 invoked from network); 13 Feb 2012 16:42:53 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 13 Feb 2012 16:42:53 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 13 Feb 2012 09:42:52 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Andrew Arnott <andrewarnott@gmail.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Mon, 13 Feb 2012 09:42:48 -0700
Thread-Topic: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request
Thread-Index: AczqCjWpQvHPoiVaSfil0evmklCsPQAZAg0w
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AADDD7E9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAE358b4yTtRXqsz-p+o_F=cj4a-JChWvn8RJ-j169ckQaq6sEw@mail.gmail.com>
In-Reply-To: <CAE358b4yTtRXqsz-p+o_F=cj4a-JChWvn8RJ-j169ckQaq6sEw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AADDD7E9P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 16:43:09 -0000

The text serves two purposes:


1.       Warn client developers that the server may have a default scope and that they should figure out what it is or what the scope requirements are

2.       Make server developers aware that they should publish their default scope of scope handling preferences.

As for your question, the pre-defined default value can be anything, including context-sensitive. It can even be random, but either way, it should be documented.

EH

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Andrew Arnott
Sent: Sunday, February 12, 2012 8:44 PM
To: OAuth WG (oauth@ietf.org)
Subject: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request

>From section 3.3 (draft 23):
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value, or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).

Is this saying that the pre-defined default value must be a FIXED value for all clients and all grants?  Or might the predefined default value actually be a derivation of the grant? (for example, by default the access token scope is simply the maximum scope allowed by the grant)

Thanks.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre