> -----Original Message----- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Monday, April 19, 2010 8:07 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > > On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote: > > 2. Server requires authentication > > > > HTTP/1.1 401 Unauthorized > > WWW-Authenticate: Token realm='Example', scope='x2' > > Can more than one scope be returned? Is it a comma delimited list?
One scope parameter with one or more comma-delimited values (we can change this to space delimited if people would like to use URIs for scope identifiers). > Imagine we have a resource that can have READ or WRITE access granted. > > An unauthenticated GET on the resource could return the scope URI needed > for READ, an unauthenticated PUT on the resource could return the scope > URI for WRITE. What if you want to both do READs and WRITEs? There may > be another scope that is READ/WRITE. READ and WRITE are pretty common > capabilities, but one can imagine much more complex capabilities at > resources. A failed GET will return scope=read and a failed PUT will return scope=write. The server can issue an access token with: scope=read scope=write scope=read,write The last can be used for both. In other words, there should not be a read_write scope, instead, the token should have two scopes. > The exact semantics to the resource are likely going to very contextual. Yes, and this can get very complicated if people want an extremely granular way of doing permissions. For example, if you want to issue a token that can read contacts and write email, you will need to define a bigger set: email_read, email_write, contacts_read, contacts_write. On the other hand, if a write access is for all authorized resources, you need: email, contacts, read, write. > Given that, returning a single scope value if that is all that makes sense to > the > resource will likely address many use cases. This is true when looking at a single resource. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
