The question is whether one would ever want to have a standardized semantic for the scope parameter. If the answer to that question is "no" then it does not matter what the format is. It can well be a list of space-delimited strings (as it is currently defined).
An evironment specific semantic works well in cases where entity X sets the value and later it receives the value again. Only entity X needs to understand what it means. In some environments the use case is slightly different, namely entity X and entity Y are from the same organization and agree on the semantic. Usage of OAuth within an enterprise might be such a case. Now, the usage of the scope parameter is, however, a bit different in the spec. Section 4, for example, describes how a client obtains an access token. How does the client know what scope parameters to set and what the semantic is? Ciao Hannes > -----Original Message----- > From: ext Lukas Rosenstock [mailto:l...@lukasrosenstock.net] > Sent: Thursday, June 24, 2010 10:49 AM > To: Dick Hardt > Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG > Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth? > > Wasn't there some concensus that URIs would be good for scope? They > have "in-built namespacing" ... > > Lukas > > 2010/6/23 Dick Hardt <dick.ha...@gmail.com>: > > > > On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN - > FI/Espoo) wrote: > > > >> " > >> scope > >> OPTIONAL. The scope of the access request > expressed as a list > >> of space-delimited strings. The value of the > "scope" parameter > >> is defined by the authorization server. If the > value contains > >> multiple space-delimited strings, their order does > not matter, > >> and each string adds an additional access range to the > >> requested scope. > >> " > >> > >> Do folks think it would be useful to have standardized values? > > > > Not at this time. The semantics of scope are all over the > place. If standardized, people will feel they need to pick > one that is close to what they want, but is not exactly what > they mean. I think it is better for the AS to define what > they mean by a scope and give it a name that makes sense in > that context. > > > >> > >> If the answer is "yes", then it would be useful to > differentiate the > >> standardized values from those values that are purely > defined locally by > >> the authorization server. > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
