Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06

2013-04-15 Thread Stephen Farrell
Hi Torsten, That's great thanks. We're still after a mail from Marius ack'ing no IPR. Be nice to get that. I'll ask for IETF LC in a day or so in case the WG have anything to say, but a couple of follow-ups below that you can take as LC comments from me. On 04/15/2013 09:09 PM, Torsten Lodders

Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06

2013-04-15 Thread Torsten Lodderstedt
Hi Stephen, I just posted a new revision of the draft (http://tools.ietf.org/html/draft-ietf-oauth-revocation-07). I tried to address all the issues you raised (see below). Am 09.04.2013 19:27, schrieb Stephen Farrell: Hi, I've done my AD review of this draft. I have two quick questions I'd

[OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-07.txt

2013-04-15 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : Token Revocation Author(s) : Torsten Lodderstedt Stefanie Dron

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
I think that because the "declaration" issue affects all parameters in the list, not just scope, we should adopt this in a higher level paragraph and leave it out of the individual parameter descriptions. Thus, something like this inserted as the second paragraph in section 2: The client me

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread John Bradley
I think the below is a bit clearer than the existing language.I can live with either. John B. On 2013-04-15, at 2:29 PM, Mike Jones wrote: > We could fix the one-sided language by changing > “Space separated list of scope values (as described in OAuth 2.0Section 3.3 > [RFC6749]) that the

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Mike Jones
We could fix the one-sided language by changing “Space separated list of scope values (as described in OAuth 2.0 Section 3.3 [RFC6749]) that the client is declaring that it may use when requesting access tokens.” to “Space separated list of scope va

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread prateek mishra
+1 I think that the existing wording is superior to the proposed changed wording. The existing wording is: scope OPTIONAL. Space separated list of scope values (as described in OAuth 2.0 Section 3.3 [RFC6749] ) that the clien

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
I absolutely do not want to delete this feature, as (having implemented it) I think it's very useful. This is a very established pattern in manual registration: I know of many, many OAuth2 servers and clients that are set up where the client must pre-register a set of scopes. I don't like the

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Tim Bray
On Mon, Apr 15, 2013 at 9:44 AM, Mike Jones wrote: > So I’d propose that we leave the existing scope wording in place. > Alternatively, I’d also be fine with deleting this feature entirely, as I > don’t think it’s useful in the general case. > I think we might well have a use for this, so that’s

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Mike Jones
I think that the existing wording is superior to the proposed changed wording. The existing wording is: scope OPTIONAL. Space separated list of scope values (as described in OAuth 2.0 Section 3.3 [RFC6749]) that the client is decl

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
On 04/15/2013 10:52 AM, Tim Bray wrote: I’d use the existing wording; it’s perfectly clear. Failing that, if there’s strong demand for registration of structured scopes, bless the use of regexes, either PCREs or some careful subset. Thanks for the feedback -- Of these two choices, I'd rather

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
What would you suggest for wording here, then? Keeping in mind that we cannot (and don't want to) prohibit expression-based scopes. -- Justin On 04/15/2013 10:33 AM, Tim Bray wrote: No, I mean it’s not interoperable at the software-developer level. I can’t register scopes at authorization ti

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Tim Bray
No, I mean it’s not interoperable at the software-developer level. I can’t register scopes at authorization time with any predictable effect that I can write code to support, either client or server side, without out-of-line non-interoperable knowledge about the behavior of the server. I guess I’

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
Scopes aren't meant to be interoperable between services since they're necessarily API-specific. The only interoperable bit is that there's *some* place to put the values and that it's expressed as a bag of space-separated strings. How those strings get interpreted and enforced (which is really

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Tim Bray
This, as written, has zero interoperability. I think this feature can really only be made useful in the case where scopes are fixed strings. -T On Apr 15, 2013 6:54 AM, "Justin Richer" wrote: > You are correct that the idea behind the "scope" parameter at > registration is a constraint on auth

Re: [OAUTH-WG] Registration: Scope Values

2013-04-15 Thread Justin Richer
You are correct that the idea behind the "scope" parameter at registration is a constraint on authorization-time scopes that are made available. It's both a means for the client to request a set of valid scopes and for the server to provision (and echo back to the client) a set of valid scopes.