IETF Logo Mail Archive

Re: [OAUTH-WG] resource server id needed?

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 15 July 2010 17:03 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A0303A6A35 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 10:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8q5-XFncSb1 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 10:03:34 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by core3.amsl.com (Postfix) with ESMTP id 28D983A6970 for <oauth@ietf.org>; Thu, 15 Jul 2010 10:03:33 -0700 (PDT)
Received: from p4ffd0e52.dip.t-dialin.net ([79.253.14.82] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OZRqY-0002SB-HP; Thu, 15 Jul 2010 19:03:42 +0200
Message-ID: <4C3F3F6A.5000409@lodderstedt.net>
Date: Thu, 15 Jul 2010 19:03:38 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <C8645B85.372D8%eran@hueniverse.com>
In-Reply-To: <C8645B85.372D8%eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="------------060408020505010607000500"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] resource server id needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 17:03:40 -0000

As I have written in my reply to Marius's posting. I'm fine with 
including server ids in scopes. But this requires a definition of the 
scope's syntax and semantics in the spec. Otherwise, scope 
interpretation (and server identification) will be deployment specific.

In your example, ':' is used as delimiter between server id and (I 
guess) resource id. I could also imagine to use another syntax, like 
<resource server>:<resource>:<permissions>.

regards,
Torsten.


Am 15.07.2010 15:30, schrieb Eran Hammer-Lahav:
> No. It is.
>
> Let me ask you this: why can't you use 'photos:server1' and 
> 'photos:server2' as scopes?
>
> EHL
>
>
> On 7/14/10 10:49 PM, "Torsten Lodderstedt" <torsten@lodderstedt.net> 
> wrote:
>
>     Did I get you right? Your answer is: Oauth is not suited for
>     deployments with different resource servers which rely in a single
>     authz server?
>
>     I don't know why you categorize this as  "complex". Is it so
>     unusual to have let's say mail, webstorage, telephony, and payment
>     services?
>
>     At Deutsche Telekom, we operate such a deployment (with much more
>     different resource servers) and I had hoped to move our token
>     service towards OAuth v2.
>
>     So would you recommend me zo stick to our proprietary protocol?
>
>     regards,
>     Torsten.
>
>
>
>     Am 15.07.2010 um 00:39 schrieb Eran Hammer-Lahav
>     <eran@hueniverse.com>:
>
>     > If your deployment is that complicated, even my discovery
>     proposal is not going to help you...
>     >
>     > EHL
>     >
>     >
>     >
>     > On Jul 14, 2010, at 18:37, "Marius Scurtescu"
>     <mscurtescu@google.com> wrote:
>     >
>     >> On Wed, Jul 14, 2010 at 3:22 PM, Torsten Lodderstedt
>     >> <torsten@lodderstedt.net> wrote:
>     >>> I have a question concerning the OAuth philosophy: How many
>     resource servers
>     >>> may be managed by a single OAuth authorization server? (a) A
>     single resource
>     >>> server or (b) several of them exposing different resource types?
>     >>>
>     >>> If the answer is (b) then how is a particular resource server
>     identified in
>     >>> the protocol? Clients have Ids, end-users as well (at least in
>     a future
>     >>> protocol extension), but what about resource server Ids?
>     >>>
>     >>> I think resource servers must be identifiable in multi-server
>     deployments
>     >>> for several reasons:
>     >>> - Interpretation of the scope parameter should be resource
>     server specific -
>     >>> "read" may have different meanings in mail and address book
>     >>> - An authorization server probably wants to apply
>     server-specific security
>     >>> policy, e.g. different access token durations
>     >>> - It will be possible to create special tokens per server
>     >>>
>     >>> I think we should introduce a resource server id in the authz
>     and access
>     >>> token request.
>     >>>
>     >>> Any thoughts?
>     >>
>     >> I think the scope fills this role. Scopes implemented as URIs, for
>     >> example, allow the authz server to map them to resource servers.
>     >>
>     >> Marius
>     >> _______________________________________________
>     >> OAuth mailing list
>     >> OAuth@ietf.org
>     >> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status