I think the below is a bit clearer than the existing language. I can live with either.
John B. On 2013-04-15, at 2:29 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > We could fix the one-sided language by changing > “Space separated list of scope values (as described in OAuth 2.0Section 3.3 > [RFC6749]) that the client is declaring that it may use when requesting > access tokens.” > to > “Space separated list of scope values (as described in OAuth 2.0Section 3.3 > [RFC6749]) that the client is declaring to the server that it may use when > requesting access tokens and that the server is declaring to the client that > it is registered to use when requesting access tokens.”. > > Again, I chose the “registered to use” language carefully – because in the > general case it’s not a restriction on the values that the client can use – > just a statement by the server to the client that it is registered to use > those particular values. In both cases, the parties are making declarations > to one another. > > If you adopt that language (or keep the original language), then yes, I’d > consider this closed. > > -- Mike > > From: Justin Richer [mailto:jric...@mitre.org] > Sent: Monday, April 15, 2013 9:57 AM > To: Mike Jones > Cc: Tim Bray; oauth@ietf.org > Subject: Re: [OAUTH-WG] Registration: Scope Values > > I absolutely do not want to delete this feature, as (having implemented it) I > think it's very useful. This is a very established pattern in manual > registration: I know of many, many OAuth2 servers and clients that are set up > where the client must pre-register a set of scopes. > > I don't like the language of "the client is declaring" because it's too > one-sided. The client might not have declared anything, and it might be the > server that's declaring something to the client. Deleting the "is declaring" > bit removes that unintended restriction of the language while keeping the > original meaning intact. I actually thought that I had fixed that before the > last draft went in but apparently I missed this one. > > I will work on clarifying the intent of the whole metadata set in its > introductory paragraph(s) so that it's clear that all of these fields are > used in both of these situations: > > 1) The client declaring to the server its desire to use a particular value > 2) The server declaring to the client that it has been registered with a > particular value > > This should hopefully clear up the issue in the editor's note that I > currently have at the top of that section right now, too. > > Mike, since you were the one who originally brought up the issue, and you're > fine with the existing text, can I take this as closed now? Assuming that you > agree with deleting "is declaring" for reasons stated above, I'm fine with > leaving everything else as is and staying quiet on what the server has to do > with the scopes. > > -- Justin > > > On 04/15/2013 12:44 PM, Mike Jones wrote: > I think that the existing wording is superior to the proposed changed > wording. The existing wording is: > > scope > OPTIONAL. Space separated list of scope values (as described in > OAuth 2.0 Section 3.3 [RFC6749]) that the client is declaring that > it may use when requesting access tokens. If omitted, an > Authorization Server MAY register a Client with a default set of > scopes. > > For instance, the current “client is declaring” wording will always be > correct, whereas as the change to “client can use” wording implies a > restriction on client behavior that is not always applicable. The “client is > declaring” wording was specific and purposefully chosen, and I think should > be retained. In particular, we can’t do anything that implies that only the > registered scopes values can be used. At the OAuth spec level, this is a > hint as to possible future client behavior – not a restriction on future > client behavior. > > Also, for the reasons that Tim stated, I’m strongly against any “matching” or > “regex” language in the spec pertaining to scopes – as it’s not actionable. > > So I’d propose that we leave the existing scope wording in place. > Alternatively, I’d also be fine with deleting this feature entirely, as I > don’t think it’s useful in the general case. > > -- Mike > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Justin Richer > Sent: Monday, April 15, 2013 8:05 AM > To: Tim Bray; oauth@ietf.org > Subject: Re: [OAUTH-WG] Registration: Scope Values > > On 04/15/2013 10:52 AM, Tim Bray wrote: > > > I’d use the existing wording; it’s perfectly clear. Failing that, if there’s > strong demand for registration of structured scopes, bless the use of > regexes, either PCREs or some careful subset. > > Thanks for the feedback -- Of these two choices, I'd rather leave it as-is. > > > > > However, I’d subtract the sentence “If omitted, an Authorization Server MAY > register a Client with a default set of scopes.” It adds no value; if the > client doesn’t declare scopes, the client doesn’t declare scopes, that’s all. > -T > > Remember, all of these fields aren't just for the client *request*, they're > also for the server's *response* to either a POST, PUT, or GET request. (I > didn't realize it, but perhaps the wording as stated right now doesn't make > that clear -- I need to fix that.) The value that it adds is if the client > doesn't ask for any particular scopes, the server can still assign it scopes > and the client can do something smart with that. Dumb clients are allowed to > ignore it if it doesn't mean anything to them. > > This is how our server implementation actually works right now. If the client > doesn't ask for anything specific at registration, the server hands it a bag > of "default" scopes. Same thing happens at auth time -- if the client doesn't > ask for any particular scopes, the server hands it all of its registered > scopes as a default. Granted, on our server, scopes are just simple strings > right now, so they get compared at the auth endpoint with an exact > string-match metric and set-based logic. > > -- Justin > > > > > > On Mon, Apr 15, 2013 at 7:35 AM, Justin Richer <jric...@mitre.org> wrote: > What would you suggest for wording here, then? Keeping in mind that we cannot > (and don't want to) prohibit expression-based scopes. > > -- Justin > > > On 04/15/2013 10:33 AM, Tim Bray wrote: > No, I mean it’s not interoperable at the software-developer level. I can’t > register scopes at authorization time with any predictable effect that I can > write code to support, either client or server side, without out-of-line > non-interoperable knowledge about the behavior of the server. > > I guess I’m just not used to OAuth’s culture of having no expectation that > things will be specified tightly enough that I can write code to implement as > specified. -T > > > On Mon, Apr 15, 2013 at 7:15 AM, Justin Richer <jric...@mitre.org> wrote: > Scopes aren't meant to be interoperable between services since they're > necessarily API-specific. The only interoperable bit is that there's *some* > place to put the values and that it's expressed as a bag of space-separated > strings. How those strings get interpreted and enforced (which is really > what's at stake here) is up to the AS and PR (or a higher-level protocol like > UMA). > > -- Justin > > > On 04/15/2013 10:13 AM, Tim Bray wrote: > This, as written, has zero interoperability. I think this feature can really > only be made useful in the case where scopes are fixed strings. > > -T > > On Apr 15, 2013 6:54 AM, "Justin Richer" <jric...@mitre.org> wrote: > You are correct that the idea behind the "scope" parameter at registration is > a constraint on authorization-time scopes that are made available. It's both > a means for the client to request a set of valid scopes and for the server to > provision (and echo back to the client) a set of valid scopes. > > I *really* don't want to try to define a matching language for scope > expressions. For that to work, all servers would need to be able to process > the regular expressions for all clients, even if the servers themselves only > support simple-string scope values. Any regular expression syntax we pick > here is guaranteed to be incompatible with something, and I think the > complexity doesn't buy much. Also, I think you suddenly have a potential > security issue if you have a bad regex in place on either end. > > As it stands today, the server can interpret the incoming registration scopes > and enforce them however it wants to. The real trick comes not from assigning > the values to a particular client but to enforcing them, and I think that's > always going to be service-specific. We're just not as clear on that as we > could be. > > After looking over everyone's comments so far, I'd like to propose the > following text for that section: > > > > scope > OPTIONAL. Space separated list of scope values (as described in > OAuth 2.0 Section 3.3 [RFC6749]) that the client can use when > requesting access tokens. As scope values are service-specific, > the Authorization Server MAY define its own matching rules when > determining if a scope value used during an authorization request > is valid according to the scope values assigned during > registration. Possible matching rules include wildcard patterns, > regular expressions, or exactly matching the string. If omitted, > an Authorization Server MAY register a Client with a default > set of scopes. > > Comments? Improvements? > > -- Justin > > > > On 04/14/2013 08:23 PM, Manger, James H wrote: > Presumably at app registration time any scope specification is really a > constraint on the scope values that can be requested in an authorization flow. > > So ideally registration should accept rules for matching scopes, as opposed > to actual scope values. > > You can try to use scope values as their own matching rules. That is fine for > a small set of "static" scopes. It starts to fail when there are a large > number of scopes, or scopes that can include parameters (resource paths? > email addresses?). You can try to patch those failures by allowing services > to define service-specific special "wildcard" scope values that can only be > used during registration (eg "read:*"). > > Alternatively, replace 'scope' in registration with 'scope_regex' that holds > a regular expression that all scope values in an authorization flow must > match. > > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
