+1 to option 3
I think the suggestion below from Torsten makes great sense, especially in
relation to standardized apis such as mail
Mark
On 01 May 2010, at 13:36 PM, Eve Maier wrote:
> Am 01.05.2010 03:07, schrieb Marius Scurtescu:
>> On Fri, Apr 30, 2010 at 11:43 AM, Torsten Lodderstedt
>> <tors...@lodderstedt.net> wrote:
>>
>>> In my opinion, automatic discovery on scope values is as valuable or
not
>>> valuable as automatic discovery for a service API. I would like to echo
one
>>> of my postings:
>>>
>>> A scope defines the set of permissions a client asks for and that
becomes
>>> associated with tokens. I don't see the need (and a way) for automatic
scope
>>> discovery. In my opinion, scopes are part of the API documentation of a
>>> particular resource server. So if someone implements a client, it needs
to
>>> consider the different scopes this client needs the end users
authorization
>>> for. If the resource server implements a OAuth2-based standard API
(e.g. for
>>> contact management or e-Mail), a client might be interoperable (in
terms of
>>> scopes) among the resource servers implementing this standard.
>>>
>> Not sure I understand, are you saying that for a standard API, like
>> IMAP for example, there should be a standard scope (or set of scopes)?
>>
>
> Yes, that's what I said.
>
> Scopes (~permissions) should be defined allong with the corresponding
API. So developers should know upfront
> which scope is required to perform a particular action. For example,
"uploading documents requires scope 'upload'".
> The same holds for IMAP. Depending on the IMAP feature set you want to
use there could be plenty of scopes,
> ranging from "read users INBOX" to sharing scenarios, where users have
access to other users IMAP folders.
This makes a ton of sense. It's one of the reasons that, in UMA, we tried
to specify a generic way of expressing scope that naturally and closely
matches a resource-oriented (RESTful) API: resource + HTTP method is a
reliable shorthand for an access feature. For read and write and even
delete permissions on (say) identity data accessed by URL, it's pretty much
all the expressiveness you need, and ideally the same documentation easily
covers both features and scopes. For any API that's more
"compressed" (e.g. one complex endpoint for many operations), it doesn't
really help.
Eve
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
