Re: [OAUTH-WG] Issue: Scope parameter

I don't see how the presence of a scope parameter hurts interoperability.

It think scope needs to be a 1st class citizen in the spec, not an extension. Without it, a client cannot request access to a specific set of resources (whether its represented as a string, URI, or anything else). Does the group think it Is important for an Authorization Server to be able to make auth decisions based on requested resources?

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Thursday, April 15, 2010 12:51 PM
To: Marius Scurtescu; recordond@gmail.com
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Issue: Scope parameter

1. Write it
2. Comply with naming policy of new parameters*
3. Publish and get feedback.
4. Fix and repeat #3 as needed.
5. Register new parameter name*

:-)

* Pending new parameter name policy

For now just call it 'scope'.

EHL

On 4/15/10 12:38 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:
Sure. Do we have a mechanism to define extensions?

Marius

On Thu, Apr 15, 2010 at 12:26 PM, David Recordon <recordond@gmail.com> wrote:
> Marius, why don't we write a one page spec which defines scope as an
> extension? We end up with agreement around if scope is a useful
> parameter and a simple parameter name for multiple vendors (because it
> is an extension). Since you seem to be advocating for including scope
> the most, would you mind trying to write out a few paragraphs?
>
> Thanks,
> --David
>
>
> On Thu, Apr 15, 2010 at 12:20 PM, Marius Scurtescu
> <mscurtescu@google.com> wrote:
>> I still have not seen any arguments why scope structure is needed for
>> interop. Client and server side libraries do not need to understand
>> the scope, they just pass it around. Client and server code do need to
>> understand the scope, but we are not dealing with that.
>>
>> Yes, a scope parameter does not buy much, it only prevents each authz
>> server from inventing their own custom parameter.
>>
>> Marius
>>
>>
>>
>> On Thu, Apr 15, 2010 at 12:07 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>>> WRAP includes a loosely defined scope parameter which allows for
>>> vendor-specific (and non-interoperable) use cases. This was requested by
>>> many working group members to be included in OAuth 2.0 with the argument
>>> that while it doesn't help interop, it makes using clients easier.
>>>
>>> The problem with a general purpose scope parameter that is completely
>>> undefined in structure is that it hurts interop more than it helps. It
>>> creates an expectation that values can be used across services, and it
>>> cannot be used without another spec defining its content and structure. Such
>>> as spec can simply define its own parameter.
>>>
>>> In addition, it is not clear what belongs in scope (list of resources,
>>> access type, duration of access, right to share data, rights to
>>> re-delegate).
>>>
>>> The rules should be that if a parameter cannot be used without another
>>> documentation, it should be defined in that other document.
>>>
>>> Proposal: Request proposals for a scope parameter definition that improve
>>> interop. Otherwise, keep the parameter out of the core spec.
>>>
>>> EHL
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>