Re: [OAUTH-WG] 'Scope' parameter proposal

Brian Eaton <beaton@google.com> Thu, 22 April 2010 19:10 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4712B28C198 for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.233
X-Spam-Level:
X-Spam-Status: No, score=-105.233 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPCNnuea9hqd for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 12:10:49 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 56ED128C2AB for <oauth@ietf.org>; Thu, 22 Apr 2010 11:48:06 -0700 (PDT)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id o3MIlpN3018909 for <oauth@ietf.org>; Thu, 22 Apr 2010 11:47:51 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271962071; bh=R6KDG7bPiEBGCrIDIC0OJiPMGx0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=bfnKO9/ljsqFh9bhmPS8/YfifD4Y723EfvdTmYb6RvhYnB1eHZu7UJd2fXyBcFjoT JkQMMiF5nBoIpRwXM5+2g==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=d/RjYRrf2crvriIlhYa4Yykx0cH5PXnWKglSnQniDjI1elYEYWrKQHszhhqqQZR2V MbHFHR5iYVGowaD+UeuHQ==
Received: from pzk14 (pzk14.prod.google.com [10.243.19.142]) by wpaz1.hot.corp.google.com with ESMTP id o3MIloZK027874 for <oauth@ietf.org>; Thu, 22 Apr 2010 11:47:50 -0700
Received: by pzk14 with SMTP id 14so538932pzk.25 for <oauth@ietf.org>; Thu, 22 Apr 2010 11:47:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.202.10 with HTTP; Thu, 22 Apr 2010 11:47:49 -0700 (PDT)
In-Reply-To: <BB02FD4F-071E-4FF5-B3D0-F8D3FA22FEEE@jkemp.net>
References: <C7F1D1FC.32809%eran@hueniverse.com> <0D5497F5-75A7-4A42-9A5E-9C2310162B18@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F30A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <g2mdaf5b9571004221036j5d6837f6z4d7959d69a3cbb2b@mail.gmail.com> <BB02FD4F-071E-4FF5-B3D0-F8D3FA22FEEE@jkemp.net>
Date: Thu, 22 Apr 2010 11:47:49 -0700
Received: by 10.143.169.5 with SMTP id w5mr4826649wfo.222.1271962069434; Thu, 22 Apr 2010 11:47:49 -0700 (PDT)
Message-ID: <z2gdaf5b9571004221147le5e5ab08laeaf24595dfc7f5e@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: John Kemp <john@jkemp.net>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 'Scope' parameter proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 19:10:51 -0000

On Thu, Apr 22, 2010 at 11:39 AM, John Kemp <john@jkemp.net> wrote:
> I agree that 'scope' is something that many SPs want. If they don't want it roughly the
> same way though (something more than a "bucket of opaque strings with a standard
> name") I don't know if I understand the point to standardizing it.

Well, we've moved from "opaque string" to "bucket of opaque strings".
And from there, we could in theory move to "bucket of opaque strings
that represent privileges, and well defined ways of dropping those
privileges".

I'm not sure that counts as progress, but it might be. =)

This is hand-wavy, but the main reason I see to standardize a scope
parameter is that it helps developers with a consistent mental model
of how service providers work.  It also helps new service providers be
consistent with the way previous APIs have been built.

Cheers,
Brian