Re: [OAUTH-WG] 'Scope' parameter proposal

I'm intrigued by the idea of returning scopes in the 403 response to a resource. I'll see if we can provide a working example of it. On Apr 23, 2010, at 5:05 PM, Brian Eaton wrote: > On Thu, Apr 22, 2010 at 6:11 PM, Manger, James H > wrote: >> We mustn't drop advertisements (details in 401 resp

Re: [OAUTH-WG] 'Scope' parameter proposal

trol model. BillK From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of John Panzer Sent: Tuesday, April 27, 2010 12:20 PM To: Torsten Lodderstedt Cc: OAuth WG Subject: Re: [OAUTH-WG] 'Scope' parameter proposal The old AOL Blogs API, which used AOL's OpenAut

Re: [OAUTH-WG] 'Scope' parameter proposal

The old AOL Blogs API, which used AOL's OpenAuth service, provided a url= parameter on WWW-Authenticate: challenges: dev.estage.aol.com/aolblogs_api#mozTocId815750

Re: [OAUTH-WG] 'Scope' parameter proposal

Am 24.04.2010 02:05, schrieb Brian Eaton: On Thu, Apr 22, 2010 at 6:11 PM, Manger, James H wrote: We mustn't drop advertisements (details in 401 responses). We mustn't drop the goal of a standard for interoperability. I share the goals, I just don't think that a specification is the

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 6:11 PM, Manger, James H wrote: > We mustn't drop advertisements (details in 401 responses). > We mustn't drop the goal of a standard for interoperability. I share the goals, I just don't think that a specification is the way to get there. I think working examples in the

Re: [OAUTH-WG] 'Scope' parameter proposal

This looks about right. EHL > -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Friday, April 23, 2010 3:31 PM > To: Manger, James H > Cc: Brian Eaton; Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' pa

Re: [OAUTH-WG] 'Scope' parameter proposal

I suspect the key concept is realising that there can be many authz URIs — and that that is ok. OAuth libraries should support this concept — perhaps by not expecting a single authz URI to be provided in a config file. I fully agree with your statement. Authorization servers may use dif

Re: [OAUTH-WG] 'Scope' parameter proposal

ameter in authz URIs is be quite separate. -- James Manger -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Friday, 23 April 2010 6:50 AM To: Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] 'Scope' para

Re: [OAUTH-WG] 'Scope' parameter proposal

I'm getting whiplash. :) Some of us are working on UMA implementations based on the ever-changing OAuth substrate, and just discussed being glad we could reuse OAuth's advertisement of these two endpoints rather than inventing our own mechanism. If it goes, I guess we'll have to go back to defi

Re: [OAUTH-WG] 'Scope' parameter proposal

My proposal is just that, a proposal. And it is an attemp to get closer to how most companies plan to use it. We have no consensus on defining a prameter name without defining a value. Got new ideas? EHL On Apr 22, 2010, at 13:50, "Brian Eaton" wrote: > On Thu, Apr 22, 2010 at 12:41 PM, Er

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 12:41 PM, Eran Hammer-Lahav wrote: > Drop the 'scope' parameter as well and we're on the same page. So we have a choice between a) not documenting something that a bunch of providers have already implemented and found useful or b) documenting something that no one has

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 12:07 PM, Eran Hammer-Lahav wrote: > This suggests we need to rethink our goal of interop and replace it with > library re-use. > > To me interop means that a client can interact with an unknown server by > simply speaking the protocol (the way an email can be delivered to

Re: [OAUTH-WG] 'Scope' parameter proposal

Drop the 'scope' parameter as well and we're on the same page. EHL > -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Thursday, April 22, 2010 12:36 PM > To: Eran Hammer-Lahav > Cc: John Kemp; OAuth WG > Subject: Re: [OAUTH-WG] &

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 12:07 PM, Eran Hammer-Lahav wrote: > If we are not going to enable a client to access a protected resource hosted > by an unfamiliar > server, we need to stop pretending this (alone) is about interop. In other > words, if we take > this approach we are mandating paperwork

Re: [OAUTH-WG] 'Scope' parameter proposal

On Apr 22, 2010, at 2:21 PM, Brian Eaton wrote: > On Thu, Apr 22, 2010 at 11:01 AM, Eran Hammer-Lahav > wrote: >> Rules around realms show this is very tricky but unless we update 2617 >> (which we >> are not chartered to do) we are still stuck with realm as a required >> parameter. >> One way

Re: [OAUTH-WG] 'Scope' parameter proposal

oblems keeping 2.0 at the same level. I just think it is premature to give up. EHL > -Original Message- > From: John Kemp [mailto:j...@jkemp.net] > Sent: Thursday, April 22, 2010 11:39 AM > To: Brian Eaton > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] 'Scop

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Thursday, April 22, 2010 11:48 AM > On Thu, Apr 22, 2010 at 11:39 AM, John Kemp wrote: > > I agree that 'scope' is something that many SPs want. If they don't > > want it roughly the same way though (something

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 11:39 AM, John Kemp wrote: > I agree that 'scope' is something that many SPs want. If they don't want it > roughly the > same way though (something more than a "bucket of opaque strings with a > standard > name") I don't know if I understand the point to standardizing it.

Re: [OAUTH-WG] 'Scope' parameter proposal

Hi Brian, On Apr 22, 2010, at 1:36 PM, Brian Eaton wrote: > On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav > wrote: >>> The scope doesn't have to match the base URI of the resource which the >>> client tried and got the 401 from? >> >> That's a security issue we need to address (when to tr

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 11:30 AM, Eran Hammer-Lahav wrote: > What makes this so much different from Basic? Instead of using a flow the > browser > simply asks the user for a set of credentials. Once it has a set, it reuses > it based on realm. Those rules aren't practical or correct for most AP

Re: [OAUTH-WG] 'Scope' parameter proposal

, 2010 11:22 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Thu, Apr 22, 2010 at 11:01 AM, Eran Hammer-Lahav > wrote: > > Rules around realms show this is very tricky but unless we update 2617 > > (whi

Re: [OAUTH-WG] 'Scope' parameter proposal

On Thu, Apr 22, 2010 at 11:01 AM, Eran Hammer-Lahav wrote: > Rules around realms show this is very tricky but unless we update 2617 (which > we > are not chartered to do) we are still stuck with realm as a required > parameter. > One way to avoid this debate is to simply say that clients should

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Thursday, April 22, 2010 10:36 AM > To: Eran Hammer-Lahav > Cc: John Kemp; OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Mon, Apr 19, 2010 at 3:17 PM, Er

Re: [OAUTH-WG] 'Scope' parameter proposal

On Mon, Apr 19, 2010 at 3:17 PM, Eran Hammer-Lahav wrote: >> The scope doesn't have to match the base URI of the resource which the >> client tried and got the 401 from? > > That's a security issue we need to address (when to trust the resource server > and reuse an existing token). We need to fi

Re: [OAUTH-WG] 'Scope' parameter proposal

Wednesday, April 21, 2010 1:23 PM > *To:* Eve Maler > *Cc:* jsm...@stanfordalumni.org; OAuth WG > > *Subject:* Re: [OAUTH-WG] 'Scope' parameter proposal > > > > Hi all, > > > > On Tue, Apr 20, 2010 at 6:05 PM, Eve Maler wrote: > > It seems like this proposal "g

Re: [OAUTH-WG] 'Scope' parameter proposal

How about review the proposals? EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Chasen Le Hara Sent: Wednesday, April 21, 2010 1:23 PM To: Eve Maler Cc: jsm...@stanfordalumni.org; OAuth WG Subject: Re: [OAUTH-WG] 'Scope' parameter proposal Hi all, On T

Re: [OAUTH-WG] 'Scope' parameter proposal

Hi all, On Tue, Apr 20, 2010 at 6:05 PM, Eve Maler wrote: > It seems like this proposal "goes there" in terms of getting as expressive > as Eran fears, though the addition of the wildcard takes away a good deal of > the pain depending on the particular interface at the endpoint(s). Is there > an

Re: [OAUTH-WG] 'Scope' parameter proposal

nternal structure of the "stuff" without a good reason. -- James Manger > -Original Message- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Monday, April 19, 2010 9:06 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: RE: [OAUT

Re: [OAUTH-WG] 'Scope' parameter proposal

iple parties want to support > any of these, now they have an agreed-upon way to do so". And with scope, I > hope by now it's well established that scopes are going to be common and the > status quo badly under-specifies how to query for them and use them. > > Thanks,

Re: [OAUTH-WG] 'Scope' parameter proposal

inal Message- > > From: Dick Hardt [mailto:dick.ha...@gmail.com] > > Sent: Monday, April 19, 2010 8:07 PM > > To: Eran Hammer-Lahav > > Cc: OAuth WG > > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > > > > > On 2010-04-19, at 9:25

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Monday, April 19, 2010 8:07 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > > On 2010-04-19, at 9:25 AM, Eran Hamme

Re: [OAUTH-WG] 'Scope' parameter proposal

age- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Monday, April 19, 2010 9:06 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: RE: [OAUTH-WG] 'Scope' parameter proposal > > >HTTP/1.1 401 Unauthorized > >WWW-Authenticat

Re: [OAUTH-WG] 'Scope' parameter proposal

de generic documentation for the entire endpoint capabilities. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Monday, April 19, 2010 9:25 AM > To: OAuth WG > Subject: [OAUTH-WG] '

Re: [OAUTH-WG] 'Scope' parameter proposal

please, add the scope parameter to the flows and the refresh token request as well. This way, client can obtain refresh tokens with broad scope and narrow down it for particular request (least privileges principle) regards, Torsten. Am 19.04.2010 18:25, schrieb Eran Hammer-Lahav: Proposal: '

Re: [OAUTH-WG] 'Scope' parameter proposal

Am 20.04.2010 05:06, schrieb Dick Hardt: On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote: 2. Server requires authentication HTTP/1.1 401 Unauthorized WWW-Authenticate: Token realm='Example', scope='x2' Can more than one scope be returned? Is it a comma delimited list? I

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Monday, April 19, 2010 4:37 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Mon, Apr 19, 2010 at 2

Re: [OAUTH-WG] 'Scope' parameter proposal

>HTTP/1.1 401 Unauthorized >WWW-Authenticate: Token realm='Example', scope='x2' I assume the WWW-Authenticate response header also has an "authz-uri" parameter. WWW-Authenticate: Token realm='Example', scope='x2', authz-uri="https://as.example.com/"; The first time a client app get

Re: [OAUTH-WG] 'Scope' parameter proposal

On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote: > 2. Server requires authentication > >HTTP/1.1 401 Unauthorized >WWW-Authenticate: Token realm='Example', scope='x2' Can more than one scope be returned? Is it a comma delimited list? I wonder how much value this will provide. (I like

Re: [OAUTH-WG] 'Scope' parameter proposal

On Mon, Apr 19, 2010 at 2:20 PM, Eran Hammer-Lahav wrote: > >> -Original Message- >> From: Marius Scurtescu [mailto:mscurte...@google.com] >> Sent: Monday, April 19, 2010 1:50 PM > >> I did a proof of concept implementation, with client, server and protected >> resource support libraries,

Re: [OAUTH-WG] 'Scope' parameter proposal

On Apr 19, 2010, at 6:17 PM, Eran Hammer-Lahav wrote: [...] >>> >> >> I think that there is much that is unspecified in this model and thus it >> doesn't >> provide much interoperability. If we don't tell the client what to do with >> the >> scope, and we don't specify what a server means by

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: John Kemp [mailto:j...@jkemp.net] > Sent: Monday, April 19, 2010 2:59 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Apr 19, 2010, at 12:25 PM, Eran Hammer-Lahav wrot

Re: [OAUTH-WG] 'Scope' parameter proposal

On Apr 19, 2010, at 12:25 PM, Eran Hammer-Lahav wrote: > Proposal: > > 'scope' is defined as a comma-separated list of resource URIs or resource > groups (e.g. contacts, photos). So, 'scope' at the authenticating (via OAuth) server is simply a list of one or more URIs? There are no defined, int

Re: [OAUTH-WG] 'Scope' parameter proposal

+1 Eran's proposal as well On Mon, Apr 19, 2010 at 1:34 PM, Torsten Lodderstedt wrote: > +1 > > Am 19.04.2010 18:25, schrieb Eran Hammer-Lahav: >> >> Proposal: >> >> 'scope' is defined as a comma-separated list of resource URIs or resource >> groups (e.g. contacts, photos). The server can provide

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Monday, April 19, 2010 1:50 PM > How does defining the scope structure help interop? Clients can use scopes the same way across provides and don't need to read paperwork to figure out how to use the pa

Re: [OAUTH-WG] 'Scope' parameter proposal

On Mon, Apr 19, 2010 at 11:14 AM, Eran Hammer-Lahav wrote: > >> -Original Message- >> From: Marius Scurtescu [mailto:mscurte...@google.com] >> Sent: Monday, April 19, 2010 11:04 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] 'Scope' parameter proposal

+1 Am 19.04.2010 18:25, schrieb Eran Hammer-Lahav: Proposal: 'scope' is defined as a comma-separated list of resource URIs or resource groups (e.g. contacts, photos). The server can provide a list of values for the client to use in its documentation, or the client can use the URIs or scope iden

Re: [OAUTH-WG] 'Scope' parameter proposal

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Monday, April 19, 2010 11:04 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Mon, Apr 19, 2010 at 9:25 AM, Eran H

Re: [OAUTH-WG] 'Scope' parameter proposal

On Mon, Apr 19, 2010 at 9:25 AM, Eran Hammer-Lahav wrote: > Proposal: > > 'scope' is defined as a comma-separated list of resource URIs or resource > groups (e.g. contacts, photos). How will commas in URIs be escaped? We just forbid them? If the scope elements are URIs then a space separated lis

Re: [OAUTH-WG] 'Scope' parameter proposal

Monday, April 19, 2010 9:25 AM To: OAuth WG Subject: [OAUTH-WG] 'Scope' parameter proposal Proposal: 'scope' is defined as a comma-separated list of resource URIs or resource groups (e.g. contacts, photos). The server can provide a list of values for the client to use in its do

[OAUTH-WG] 'Scope' parameter proposal

Proposal: 'scope' is defined as a comma-separated list of resource URIs or resource groups (e.g. contacts, photos). The server can provide a list of values for the client to use in its documentation, or the client can use the URIs or scope identifier of the protected resources it is trying to acce