I'm not sure if you mean "address" as in "handle", or "address" as in "uniquely
label", but... UMA's first step involves a user-delegated introduction of a
resource server to an authorization server as a special kind of client of it,
using an OAuth2 web server flow with dynamic client registration as necessary.
As part of this overall process, the resource server can tell the authorization
server specifically which resource URLs are protected thereby (one way to do
this is to wield its just-acquired access token at a protected resource
registration endpoint at the authz server). Access tokens given to requesters
(the real end-of-the-line clients) for accessing these resources are currently
assumed to be given out on a per-resource-server basis, and each resource is
uniquely associated with a single resource server and uniquely protected by a
single authorization server, so there is no ambiguity. I suppose a resource
server namespace could allow for higher-order aggregation as discussed below
but I would personally prefer baby steps when it comes to the amount of
dynamicism we're already assuming...
If you want to follow along with the UMA work, we have floated a number of spec
drafts for these portions of our Step 1, and should shortly (within a day or
so) have a more fleshed-out resource registration draft ready. We're not just
cataloguing the resource URLs, but also the possible methods for accessing
them; our assumption to date, as noted previously on this list, has been that
the simple set of HTTP methods can get everyone really far -- but mindful of
the need in OAuth-land for arbitrary "space-delimited list of strings" for
scope, the current nascent draft allows for this.
Eve
On 28 Jul 2010, at 11:32 PM, Torsten Lodderstedt wrote:
> Eve,
>
> how does UMA plan to address resource servers during the OAuth end-user
> authorization process?
>
> regards,
> Torsten.
>
> Am 29.07.2010 02:37, schrieb Eve Maler:
>>
>> Belatedly... Sorry if I sound like a broken record on this, but: Most of
>> UMA's use involve letting a user introduce their various hosts (UMA-flavored
>> resource servers) to their single chosen "authorization manager"
>> (UMA-flavored authorization server), by treating the former as a dynamically
>> introduced OAuth client of the latter. This sounds an awful lot like the
>> question originally posed in this thread. We have exactly the problem of
>> figuring out how the host can tell the AM what resources the AM should be
>> protecting and what can be done to them, which we've begun to solve with
>> what we're calling a "resource registration API" (RRAPI).
>>
>> (BTW, we're also working on an I-D to submit here that proposes a solution
>> for discovery/dynamic registration that meets our needs. Hoping it can feed
>> into Eran's discovery work.)
>>
>> Eve
>>
>> On 28 Jul 2010, at 1:23 AM, Torsten Lodderstedt wrote:
>>
>>> thanks for sharing your thoughts.
>>>
>>> Differentiating resource servers by using different end-user authorization
>>> endpoint URLs is an option. I dont't know how this will work in conjunction
>>> with discovery, especially since this differentiation might by required on
>>> other endpoints, too. For example, if a client wants to obtain an access
>>> token for the end-user's credentials, it has to identify the resource
>>> server also on the tokens endpoint. There might be additional endpoint for
>>> other flows with similar requirements, e.g. the device flow.
>>>
>>> Based on your proposal, a derived solution could be to define a standard
>>> parameter "resourceserver" and to state how clients should use this
>>> parameter on the different endpoints. On the coding level, there would be
>>> no difference to your proposal :-) But the client would be able to
>>> construct such a URL on its own.
>>>
>>> Authorizing access for different resource servers is indeed an issue for
>>> me. How would you propose to add the namespace? Shall the scope obtained
>>> from the resource server already contain such a namespace are shall there
>>> be a rule to construct such namespaced-ed scopes in the spec?
>>>
>>> regards,
>>> Torsten.
>>>
>>> Am 25.07.2010 19:11, schrieb Andrew Arnott:
>>>>
>>>> It seems to me that if one auth server can create tokens for a diverse set
>>>> of resource servers, then why not have different user authorization
>>>> endpoint URLs for each type of resource server, as an added differentiator
>>>> for the scope (a namespace, if you will)?
>>>>
>>>> So suppose one auth server serves two different photo services, both using
>>>> overlapping scopes such that a client requesting access of some scope is
>>>> otherwise ambiguous between which resource server the client needs access
>>>> to. The auth server that serves both resource servers could have two end
>>>> user authorization endpoints:
>>>> http://auth.server.org/authorize?resourceserver=1
>>>> http://auth.server.org/authorize?resourceserver=2
>>>>
>>>> And that way the auth server knows exactly what the client needs.
>>>>
>>>> The only scenario this doesn't allow for is for a user to authorize a
>>>> client's access to both resource servers in one redirect. If this were an
>>>> issue, perhaps you can apply a namespace-like prefix to each scope
>>>> substring:
>>>>
>>>> rs1:photo:read rs2:photo:read
>>>>
>>>> Which would serve a similar purpose.
>>>>
>>>> --
>>>> Andrew Arnott
>>>> "I [may] not agree with what you have to say, but I'll defend to the death
>>>> your right to say it." - S. G. Tallentyre
>>>>
>>>>
>>>> On Thu, Jul 22, 2010 at 3:07 PM, Torsten Lodderstedt
>>>> <tors...@lodderstedt.net> wrote:
>>>> no one else in the group having an opinion on this topic?
>>>>
>>>>
>>>>
>>>> Am 15.07.2010 20:14, schrieb Marius Scurtescu:
>>>> On Thu, Jul 15, 2010 at 10:03 AM, Torsten Lodderstedt
>>>> <tors...@lodderstedt.net> wrote:
>>>> As I have written in my reply to Marius's posting. I'm fine with including
>>>> server ids in scopes. But this requires a definition of the scope's syntax
>>>> and semantics in the spec. Otherwise, scope interpretation (and server
>>>> identification) will be deployment specific.
>>>> Sure, it is deployment specific, but why is that an issue?
>>>>
>>>> In your case, the authz server and all the resource servers are
>>>> managed by the same organization, right?
>>>>
>>>> Do clients need to be aware of the actual resource server?
>>>>
>>>> You can probably create a separate spec that defines scope syntax for
>>>> this purpose, if really needed. Does it have to be in core?
>>>>
>>>> Marius
>>>>
>>>> Solving the challenge I described in a deployment specific way is not an
>>>> issue. But the consequence is that authz server, resource servers and
>>>> clients are tight together.
>>>>
>>>> Let me ask you one question: Why are we working together towards a
>>>> standard protocol? I can tell you my expectations: I hope there will be
>>>> broad support not only by libraries, but also by ready-to-use services and
>>>> clients, so we could integrate such services into our deployment easily.
>>>> Moreover, I would like to see OAuth to be included in application/service
>>>> protocols like PortableContacts, SIP, WebDAV, IMAP, ...
>>>>
>>>> So what if I would like to use standard clients to access our services?
>>>> Using scopes for specifying resource server id's in this case is also
>>>> simple - if you take an isolated view. But since scopes may be used to
>>>> specifiy a lot of other things, like resources, permissions, and
>>>> durations, handling w/o a more detailed spec will in practice be
>>>> impossible.
>>>>
>>>> Suppose a WebDAV service for media data access. Any WebDAV client knows
>>>> the WebDAV protocol (== interface), e.g. the supported methods (GET, PUT,
>>>> POST, DELETE, COPY, MOVE) and how to traverse directories. So it is
>>>> sufficient to configure the client with the URL of my personal web
>>>> storage. To start with let's assume, scopes are used to designate resource
>>>> servers only. So the server's scope could be "webstorage".
>>>>
>>>> WWW-Authenticate OAuth realm='webstorage' scope="webstorage"
>>>>
>>>> The client could just pass this parameter to the authz server and
>>>> everything is fine.
>>>>
>>>> On the next level, let's assume the (future) WebDAV standard with
>>>> OAuth-support uses one permission per method type. So the full scope could
>>>> be as follows:
>>>>
>>>> WWW-Authenticate OAuth realm='webstorage' scope="webstorage:GET
>>>> webstorage:PUT webstorage:POST webstorage:DELETE webstorage:COPY
>>>> webstorage:MOVE"
>>>>
>>>> Passing this scope w/o any unmodified to the authz server is not an issue.
>>>> But this implies the client asks for full access to the users media
>>>> storage. Since our client is a gallery application, it requires the "GET"
>>>> permission only. How does the client know which of the scope values to
>>>> pick for the end-user authorization process? It must somehow select
>>>> "webstorage:GET".
>>>>
>>>> But how?
>>>>
>>>> In my personal opinion, clients should be enabled to interpret, combine
>>>> and even create scopes. And yes, this should go to the core of the spec.
>>>>
>>>> regards,
>>>> Torsten.
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> Eve Maler
>> http://www.xmlgrrl.com/blog
>> http://www.twitter.com/xmlgrrl
>> http://www.linkedin.com/in/evemaler
>>
Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
