On 30 Apr 2010, at 11:00 PM, Torsten Lodderstedt wrote:
> Am 01.05.2010 03:07, schrieb Marius Scurtescu:
>> On Fri, Apr 30, 2010 at 11:43 AM, Torsten Lodderstedt
>> <tors...@lodderstedt.net> wrote:
>>
>>> In my opinion, automatic discovery on scope values is as valuable or not
>>> valuable as automatic discovery for a service API. I would like to echo one
>>> of my postings:
>>>
>>> A scope defines the set of permissions a client asks for and that becomes
>>> associated with tokens. I don't see the need (and a way) for automatic scope
>>> discovery. In my opinion, scopes are part of the API documentation of a
>>> particular resource server. So if someone implements a client, it needs to
>>> consider the different scopes this client needs the end users authorization
>>> for. If the resource server implements a OAuth2-based standard API (e.g. for
>>> contact management or e-Mail), a client might be interoperable (in terms of
>>> scopes) among the resource servers implementing this standard.
>>>
>> Not sure I understand, are you saying that for a standard API, like
>> IMAP for example, there should be a standard scope (or set of scopes)?
>>
>
> Yes, that's what I said.
>
> Scopes (~permissions) should be defined allong with the corresponding API. So
> developers should know upfront
> which scope is required to perform a particular action. For example,
> "uploading documents requires scope 'upload'".
> The same holds for IMAP. Depending on the IMAP feature set you want to use
> there could be plenty of scopes,
> ranging from "read users INBOX" to sharing scenarios, where users have access
> to other users IMAP folders.
This makes a ton of sense. It's one of the reasons that, in UMA, we tried to
specify a generic way of expressing scope that naturally and closely matches a
resource-oriented (RESTful) API: resource + HTTP method is a reliable shorthand
for an access feature. For read and write and even delete permissions on (say)
identity data accessed by URL, it's pretty much all the expressiveness you
need, and ideally the same documentation easily covers both features and
scopes. For any API that's more "compressed" (e.g. one complex endpoint for
many operations), it doesn't really help.
Eve
Eve Maler
e...@xmlgrrl.com
http://www.xmlgrrl.com/blog
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
