Am 01.05.2010 03:07, schrieb Marius Scurtescu:
On Fri, Apr 30, 2010 at 11:43 AM, Torsten Lodderstedt
<tors...@lodderstedt.net> wrote:
In my opinion, automatic discovery on scope values is as valuable or not
valuable as automatic discovery for a service API. I would like to echo one
of my postings:
A scope defines the set of permissions a client asks for and that becomes
associated with tokens. I don't see the need (and a way) for automatic scope
discovery. In my opinion, scopes are part of the API documentation of a
particular resource server. So if someone implements a client, it needs to
consider the different scopes this client needs the end users authorization
for. If the resource server implements a OAuth2-based standard API (e.g. for
contact management or e-Mail), a client might be interoperable (in terms of
scopes) among the resource servers implementing this standard.
Not sure I understand, are you saying that for a standard API, like
IMAP for example, there should be a standard scope (or set of scopes)?
Yes, that's what I said.
Scopes (~permissions) should be defined allong with the corresponding
API. So developers should know upfront
which scope is required to perform a particular action. For example,
"uploading documents requires scope 'upload'".
The same holds for IMAP. Depending on the IMAP feature set you want to
use there could be plenty of scopes,
ranging from "read users INBOX" to sharing scenarios, where users have
access to other users IMAP folders.
regards,
Torsten.
If not, then discovery of scopes is almost a must in this case. The
client implementor cannot know the actual scope because implementation
is done against a generic API.
I did not see the value of scope discovery until I realized the above use case.
Marius
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
