Re: [OAUTH-WG] 'Scope' parameter proposal
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 20 April 2010 15:19 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F82F3A6AE0 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 08:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Level:
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9EOx7-ISmDj for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 08:19:49 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 916303A68C0 for <oauth@ietf.org>; Tue, 20 Apr 2010 08:19:36 -0700 (PDT)
Received: (qmail 16974 invoked from network); 20 Apr 2010 15:19:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 20 Apr 2010 15:19:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 20 Apr 2010 08:19:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Luke Shepard <lshepard@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Tue, 20 Apr 2010 08:19:34 -0700
Thread-Topic: 'Scope' parameter proposal
Thread-Index: Acrf3OTsH3nwWGe+ikabEbV7IE0sxQABSTMAAC6AZzA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F46A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <2513A610118CC14C8E622C376C8DEC93D54D66DE26@SC-MBXC1.TheFacebook.com>
In-Reply-To: <2513A610118CC14C8E622C376C8DEC93D54D66DE26@SC-MBXC1.TheFacebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 15:19:53 -0000
> -----Original Message----- > From: Luke Shepard [mailto:lshepard@facebook.com] > Sent: Monday, April 19, 2010 10:21 AM > To: Eran Hammer-Lahav; OAuth WG > Subject: RE: 'Scope' parameter proposal > > This seems pretty elegant to me. I like that in the general case, the protected > resource can give an error saying the scope required. > > As a specific example of how Facebook could use this, we have an extended > permission for an app to publish to a user's stream. If an app tries to publish > to the stream today, and they don't have the permission, we give an error > that says "You need the publish_stream permission." With this extension, we > could also add a header like: > > WWW-Authenticate: Token realm="http://www.facebook.com", > scope="publish_stream" > > Then client libraries could craft an OAuth authorize URL for that scope, > without having to refer to documentation. > > One issue is how this would work with more complicated scenarios. There > are resources that require multiple scopes, or even one of a few possible > scopes (i.e., either "publish_stream" or "add_photo" to post a photo story). > What are the semantics of the response header listing multiple scopes - are > they all required, or just some? The more complex the endpoint scope is, the more complex the "scope discovery" becomes. The trick is keeping the simple cases simple. I would suggest this: - If an endpoint requires a single or a set of scope identifiers, is uses a single WWW-Authenticate header with a scope parameter listing all the required values. They are all required (i.e. you need a token that covers them all). Anything else will not work. - If an endpoint requires different sets of scope identifiers for different parameters or parameter values, it should reply with the required scope for the *failed* request only. It should help the client make the specific request it was attempting, not provide generic documentation for the entire endpoint capabilities. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Monday, April 19, 2010 9:25 AM > To: OAuth WG > Subject: [OAUTH-WG] 'Scope' parameter proposal > > Proposal: > > 'scope' is defined as a comma-separated list of resource URIs or resource > groups (e.g. contacts, photos). The server can provide a list of values for the > client to use in its documentation, or the client can use the URIs or scope > identifier of the protected resources it is trying to access (before or after > getting a 401 response). > > For example: > > 1. Client requests resource > > GET /resource HTTP/1.1 > Host: example.com > > 2. Server requires authentication > > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Token realm='Example', scope='x2' > > 3. Client requests an access token by including scope=x2 in the request > > Alternatively, the client can ask for an access token with > scope=http://example.com/resource. > > If the client needs access to two resource with different scopes, it requests > an access token for scope=x2,x1. > > That's it! > > It allows the client to figure out what value to put in the scope parameter and > how to encode multiple scopes without any server-specific documentation. > Servers that wish to rely exclusively on paperwork can just omit the scope > parameter from the WWW-Authenticate header. > > We can pick a different separator (space, semicolon, etc.) or different > parameter name (resource(s)). > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal David Recordon
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Dick Hardt
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- [OAUTH-WG] Consistency in access token parameter Luke Shepard
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal John Panzer
- Re: [OAUTH-WG] 'Scope' parameter proposal Keenan, Bill
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard