I think a bit more then just defining the delimiter is required in order to make things work as you described (in a interoperable way).

5.2.1 states "The "scope" attribute is a space-delimited list of scope values indicating the required scope of the access token for accessing the requested resource."

So in my understanding the resource may indicate the scope required for access, no word about addition. There is no relation stated to the scope associated with a insufficient token sent to a resource.

Even if this attribute would contain a scope diff, some more questions are open: How does the client know what scope values from different WWW-Authenticate headers can be combined? Moreover, the draft does not support to extend a token's scope. So how should the client use that knowledge? Kick-off another authorization process?

regards,
Torsten.

Am 25.08.2010 00:59, schrieb David Recordon:
Giving scope basic structure (space delimitated) allows any app developer to store a list of scopes which they have and compare any desired scopes to that list. While the meaning of each scope is not standardized, it allows for this sort of simple operation on scope. 5.2.1 also defines how a protected resource can tell the client what additional scope(s) are needed in order to make their request successful. Standardizing the delimiter allows for this sort of "addition" interaction.

--David



On Tue, Aug 24, 2010 at 10:41 PM, Torsten Lodderstedt <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:

     --- p.6 terminology/authorization server
    "         A server capable of issuing tokens after successfully
            authenticating the resource owner and obtaining authorization.
            The authorization server may be the same server as the
    resource
            server, or a separate entity. "
    Based on the discussion in
    http://www.ietf.org/mail-archive/web/oauth/current/msg03812.html,
    I would suggest to add the following: "A single authorization
    server may issue tokens for different resource servers."

    --- p.11 What is the meaning of "... the authentication of the
    client is based on the user-agent's same-origin policy." ? As far
    as I know, this policy restricts the hosts the JavaScript client
    is allowed to interact with. How does this "feature" authenticate
    the client on the authorization server?

    --- Examples and client authentication: Since BASIC authentication
    is the default mechanisms for client authentication, I would
    suggest to use it in all examples.

    --- Scope syntax and usage
    The discussion in
    http://www.ietf.org/mail-archive/web/oauth/current/msg03812.html
    revealed most WG members do not want to define the scope's syntax
    and semantics in the spec. Instead these aspects shall be kept
    deployment specific. Accepted. To me, this means the scope is
    specified as a placeholder/pattern only and not as a fullblown
    parameter. In contrast, the draft raises the expectation to
    specify more than that e.g. by defining delimiters and talking
    about orders on scopes (less/equal). In my opinion, we should not
    pretend to standardize something we don't really standardize.
    Moreover, if we want to give the deployments the freedom to define
    the scope's syntax and semantics, then we should not impose any
    needless restrictions. Here are some examples:

    p. 17
    scope
            OPTIONAL.  The scope of the access request expressed as a list
            of space-delimited strings.  ..

    Why is it neccessary to define a delimiter for a parameter that
    otherwise is completly left unspecified? What is the benefit? I
    would suggest to remove the delimiter definition and let the scope
    just be an opaque string that can be used by the deployment in any
    way. Lists of spec-delimited strings are one options, other
    deployments would probably use JSON documents or an elaborated
    scope-expression language.

    p.22 "If the access grant being used already
            represents an approved scope (e.g. authorization code,
            assertion), the requested scope MUST be equal or lesser than
            the scope previously granted."

    This statement is useless without a definition of an order and
    equality among scope values. And there might also be a sets,
    subsets and supersets of scopes.
    Proposal:
    Either (a) add an clarification that equality, order, e.t.c. of
    scopes is deployment specific or (b) remove the statement.

    p. 33    The "scope" attribute is a space-delimited list of scope
    values
      indicating the required scope of the access token for accessing the
      requested resource."

    There is no explanation what a compliant client should do with the
    scope attribute value of a WWW-Authenticate header.
    Proposal:
    Either a) state that usage of the scope value is deployment
    specific or b) that the client shall pass this attribute to the
    respective scope parameters on end-user authorization and tokens
    endpoint or c) remove the attribute.

    --- section 3: "The authorization server MUST support the use of
      the HTTP "GET" method for the end-user authorization endpoint, and
      MAY support the use of the "POST" method as well."

    What is the use case behind POST on that endpoint? Is the
    authorization server expected to behave differently with respect
    to the redirect back to the client? For example, shall HTML FORM
    Redirection be used for the way back?

    section 4.3. In my opinion, unauthorized_client should be used on
    conjunction with status code 403.

    section 5.1.1. access token charset: This definition allows
    authorization server for the issuance of token, which cannot be
    safely passed with URI query parameters (e.g. they are allowd to
    contain "&"). But section 5.1.2 specifies that access tokens can
    directly be used as such parameters. This may cause problems.

    Proposal: Either a) modify the access token charset to be URI
    query parameter compliant or b) advice resource server/clients
    using URI query parameters to additionaly URL-safe-base64-encode
    tokens before sending them to the resource server.

    regards,
    Torsten.
    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org <mailto:OAuth@ietf.org>
    https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to