> -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Thursday, April 22, 2010 10:36 AM > To: Eran Hammer-Lahav > Cc: John Kemp; OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > >> The scope doesn't have to match the base URI of the resource which > >> the client tried and got the 401 from? > > > > That's a security issue we need to address (when to trust the resource > server and reuse an existing token). We need to figure it out either way. > > Are you sure we need to figure this out? Is it even possible to figure it > out?
Yes. It doesn't mean we have to solve it, but we must give developers guidance on what to do or not to do. This is clearly a major part of any authentication protocol - when do use a set of credentials. Rules around realms show this is very tricky but unless we update 2617 (which we are not chartered to do) we are still stuck with realm as a required parameter. One way to avoid this debate is to simply say that clients should use realms to decide when to reuse tokens. It doesn't solve the problem, but it doesn't create a new one either. As for scopes: In a 401 response, the scope parameter tells the client what scopes the token needs to include. In a token request, the client may tell the server what scope it desires (based on documentation or the 401 response). In a token response, the server may tell the client the scopes included in the token issued. Scope is defined as a list of opaque identifier (which can be strings or URIs). Multiple scopes should be space delimited because it's the easiest character to allow both simple names and URIs (URIs can include un-escaped commas). In other word, we need to address it, but it doesn't need to be part of the scope proposal. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
