Re: [OAUTH-WG] Few questions about client_credentials
Paul Madsen <paul.madsen@gmail.com> Thu, 01 March 2012 22:36 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C34321E83A6 for <oauth@ietfa.amsl.com>; Thu, 1 Mar 2012 14:36:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f53PPiP8fEo0 for <oauth@ietfa.amsl.com>; Thu, 1 Mar 2012 14:36:25 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2323B21E80BE for <oauth@ietf.org>; Thu, 1 Mar 2012 14:36:25 -0800 (PST)
Received: by yenm5 with SMTP id m5so617557yen.31 for <oauth@ietf.org>; Thu, 01 Mar 2012 14:36:24 -0800 (PST)
Received-SPF: pass (google.com: domain of paul.madsen@gmail.com designates 10.50.179.106 as permitted sender) client-ip=10.50.179.106;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of paul.madsen@gmail.com designates 10.50.179.106 as permitted sender) smtp.mail=paul.madsen@gmail.com; dkim=pass header.i=paul.madsen@gmail.com
Received: from mr.google.com ([10.50.179.106]) by 10.50.179.106 with SMTP id df10mr6691654igc.6.1330641384630 (num_hops = 1); Thu, 01 Mar 2012 14:36:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=3IFKTfPHiXtyMWSkeG9u/q4YYv4MuM2YeA062jfWIIM=; b=BHbit99qL54xygyvHmLrwr6OUoEucBCXv6WGsD5A05SxJs9TuqapPXaoQqSmooO0S6 F9cn2pMFn/oSho/EHS4estwhSRmvvwH0rJ2UOAJ5Or0wb9i1lal08LOxzx+Q0A6g/Sbb cT3tHG1JEyCiuSof4dXoKeZWKm9a6n3LvvsrrnGjlGW3FTSwIE+i4tjABP41xPt0ymzK PH0alYvSTtYDgR6QXybYnDSnqYU1JIfX6Dl5u/4oMB8yEtoZCzEzEDZ/0Jx+vcshb1Ii fEB5bmx+dpPUtda4LJdVKsgLjjirqhC6FU9VPHD2t5SF3B3avYGXZtUZ8uRGdVHfMLIs 86QA==
Received: by 10.50.179.106 with SMTP id df10mr5482612igc.6.1330641384576; Thu, 01 Mar 2012 14:36:24 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.162.33]) by mx.google.com with ESMTPS id cx9sm2982403igc.12.2012.03.01.14.36.20 (version=SSLv3 cipher=OTHER); Thu, 01 Mar 2012 14:36:22 -0800 (PST)
Message-ID: <4F4FF9E3.3010007@gmail.com>
Date: Thu, 01 Mar 2012 17:36:19 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
References: <E33E01DFD5BEA24B9F3F18671078951F156D8F4B@szxeml534-mbx.china.huawei.com> <4F3BB6B8.1030501@mitre.org> <4F4FA62F.7010404@gmail.com> <5E5D54C4-092B-4D7F-810D-39FFAF08FF6B@mitre.org> <5710F82C0E73B04FA559560098BF95B1250DBA5E89@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4F4FF563.3070806@gmail.com> <5710F82C0E73B04FA559560098BF95B1250DBA5F93@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
In-Reply-To: <5710F82C0E73B04FA559560098BF95B1250DBA5F93@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Content-Type: multipart/alternative; boundary="------------020706080108090500050600"
Cc: "'<oauth@ietf.org>'" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Few questions about client_credentials
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 22:36:26 -0000
RO =/= end-user On 3/1/12 5:33 PM, Zeltsan, Zachary (Zachary) wrote: >> Are you saying that this can include the resources of possibly different end users ? > Yes. The specification does not limit a number of the users whose resources a client may access using the client credentials flow. > > Zachary > > > -----Original Message----- > From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] > Sent: Thursday, March 01, 2012 5:17 PM > To: Zeltsan, Zachary (Zachary) > Cc: 'Richer, Justin P.'; '<oauth@ietf.org>' > Subject: Re: [OAUTH-WG] Few questions about client_credentials > > Hi, > On 01/03/12 19:23, Zeltsan, Zachary (Zachary) wrote: >> In the case of the Client Credentials Grant, an authorization servers knows what resources the client is authorized to access (this includes the resources that are not owned by the client). The specification explains that authorization of access to the resources "has been previously arranged with the authorization server (the method of which is beyond >> the scope of this specification)". >> > Are you saying that this can include the resources of possibly different > end users ? Or only of a specific single end-user ? > > >> I have nothing to add to Justin's answer to the second question. > OK > > Thanks > > Sergey > >> Zachary >> >> >> Zachary >> >> >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P. >> Sent: Thursday, March 01, 2012 12:01 PM >> To: Sergey Beryozkin >> Cc:<oauth@ietf.org> >> Subject: Re: [OAUTH-WG] Few questions about client_credentials >> >> If there's a fully trusted relationship between the client and the server, then the client may in fact be accessing data on behalf of another resource owner. It's a useful pattern when a three-legged flow like the Auth Code is not available. But it's kind of splitting hairs because the client has been granted a blanket access to the resource ahead of time, by virtue of its registration. Showing up to get a token is a method of limiting exposure and power of the client credentials, and making it easier to support both direct-client access and delegated-client access simultaneously with most of the same tooling. >> >> To your second question, no -- scopes do not have to be ignored in this case. In fact, a well-designed client and server can make use of scopes to let the client request an access token that's only good for whatever the current transaction is, as opposed to something that's representative of all of the client's capabilities. This is a method known as "downscoping" and it's a very powerful pattern that OAuth enables. Of course, if you want, you are fully allowed to leave the scope out entirely, then it's up to the Authorization Server alone to figure out what the token is really good for. >> >> Hope this clears things up, >> >> -- Justin >> >> >> >> On Mar 1, 2012, at 11:39 AM, Sergey Beryozkin wrote: >> >>> Hi, >>> >>> I have few questions about the client_credentials grant type. >>> Section 4.4 [1] says: "...client is requesting access to the protected resources under its control, or those of another resource owner..." >>> >>> What I do not understand is the latter part of the above statement, how to establish a link between the client authentication (which is an actual grant in this case) and different resource owners given that the only thing we have is the client authentication. As far as I can see it is only possible to get a one to one link with the end user in this case. >>> >>> Can someone please clarify what is meant by "those of another resource owner" phrase ? >>> >>> The other question is about an optional scope parameter. It has to be ignored in case of the client requesting a token for accessing its own resources, right ? >>> >>> Thanks, Sergey >>> >>> >>> >>> [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-4.4 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] tsv-dir review of draft-ietf-oauth-v2-… Songhaibin
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Justin Richer
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Songhaibin
- Re: [OAUTH-WG] Few questions about client_credent… Richer, Justin P.
- [OAUTH-WG] Few questions about client_credentials Sergey Beryozkin
- Re: [OAUTH-WG] Few questions about client_credent… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Few questions about client_credent… Sergey Beryozkin
- Re: [OAUTH-WG] Few questions about client_credent… Sergey Beryozkin
- Re: [OAUTH-WG] Few questions about client_credent… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Few questions about client_credent… Paul Madsen
- Re: [OAUTH-WG] Few questions about client_credent… André DeMarre
- Re: [OAUTH-WG] Few questions about client_credent… Sergey Beryozkin
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Eran Hammer
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Eran Hammer
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Songhaibin
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Songhaibin
- Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth… Eran Hammer
- [OAUTH-WG] Difference between RO and End User (Wa… Sergey Beryozkin
- Re: [OAUTH-WG] Difference between RO and End User… Paul Madsen
- Re: [OAUTH-WG] Difference between RO and End User… Sergey Beryozkin