On Sun, Jul 07, 2019 at 09:32:15AM -0400, Brian Campbell wrote: > On Sat, Jul 6, 2019 at 2:42 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > > > > Not to my recollection. I'm honestly not even sure what an array would > > mean > > > for "may_act". Do you mean for "act"? > > > > Currently we can say that ad...@example.com "may act" as u...@example.com. > > But IIUC we don't have a way to say that either adm...@example.com or > > adm...@example.com may do so. An array would let us indicate multiple > > authorized parties. I'm reluctant to actually make such a change at this > > point, though, since this is already deployed some places, right? > > > > Okay, sorry, I'm a bit slow but I follow you now. > > Indeed this has been deployed in a number of places already. I'd honestly > don't know if anyone is making use of this particular claim but changing > from an object to array of objects would be a breaking change. And a > breaking change is something I'd really like to avoid unless there's a very > compelling reason to do so. And while your point here is taken, I don't > think it rises to that level of compelling. > > I see two options at this point: > 1) leave it as is > 2) adjust the language around "may_act" such that it could also identify > an eligible group - this would allow for it to indicate multiple authorized > parties but just not by one by one name, which is maybe more desirable > anyway > > What do you think?
Either option is fine with me. I don't remember how much precedent we have in the OAuth ecosystem for groups that are identified in this manner, but if it's a fairly common thing that seems to be slighly preferred. (Even if we go with (1) and this does become an issue at some point, it shouldn't be too hard to add a "may_also_act" or similar with the array semantics.) -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
