-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Spec is in Google Docs for the time being
- Loading branch information
1 parent
85dd99f
commit d7e80d4
Showing
3 changed files
with
2 additions
and
301 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,98 +1,2 @@ | ||
| OAuth Scope Info | ||
|
|
||
| Abstract | ||
|
|
||
| We define the Resource Helper as a subsystem of an OAuth | ||
| authorization server. It can be included in an OAuth flow as a | ||
|
|
||
| (hosted) implementations of OAuth authorization servers can make | ||
| this subsystem pluggable. | ||
| We further define the scope info data structure, which can convey | ||
| more detailed information than the unstructured strings in | ||
| an OAuth scopes parameter. The authorization server can retrieve | ||
| this data | ||
| structure from the Resource Helper, and use the information for it | ||
| to | ||
| display a scope label to the user, provide a scope info endpoint | ||
| to clients, | ||
| and include detailed scope information in introspection responses | ||
| to the | ||
| resource server. | ||
|
|
||
| Status of this Memo | ||
|
|
||
| This Internet-Draft is submitted in full conformance with the | ||
| provisions of BCP 78 and BCP 79. | ||
|
|
||
| Internet-Drafts are working documents of the Internet Engineering | ||
| Task Force (IETF). Note that other groups may also distribute | ||
| working documents as Internet-Drafts. The list of current Internet- | ||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | ||
|
|
||
| Internet-Drafts are draft documents valid for a maximum of six months | ||
| and may be updated, replaced, or obsoleted by other documents at any | ||
| time. It is inappropriate to use Internet-Drafts as reference | ||
| material or to cite them other than as "work in progress." | ||
|
|
||
| This Internet-Draft will expire on ${EXPIRES}. | ||
|
|
||
| Copyright Notice | ||
|
|
||
| Copyright (c) ${YEAR} IETF Trust and the persons identified as the | ||
| document authors. All rights reserved. | ||
|
|
||
| This document is subject to BCP 78 and the IETF Trust's Legal | ||
| Provisions Relating to IETF Documents | ||
| (http://trustee.ietf.org/license-info) in effect on the date of | ||
| publication of this document. Please review these documents | ||
| carefully, as they describe your rights and restrictions with respect | ||
| to this document. Code Components extracted from this document must | ||
| include Simplified BSD License text as described in Section 4.e of | ||
| the Trust Legal Provisions and are provided without warranty as | ||
| described in the Simplified BSD License. | ||
|
|
||
| Table of Contents | ||
|
|
||
| 1. Introduction...................................................2 | ||
|
|
||
| 1. Introduction | ||
|
|
||
| The part of an OAuth authorization server that deals with scope | ||
| selection | ||
| is necessarily tied to the specifics of the resource server. In | ||
| some deployment | ||
| scenarios, where one authorization server deals with many diverse | ||
| resource servers, | ||
| it is therefore desirable to make this part of the authorization | ||
| server pluggable. | ||
|
|
||
| To achieve this, we propose a plugin standard, as follows: | ||
|
|
||
| * the Resource Helper provides an authorization endpoint and a | ||
| token info endpoint. | ||
| * in the administration interface where the authorization server | ||
| allows the registration of resource | ||
| servers, the authorization endpoint and token info endpoint of the | ||
| resource helper can also be defined | ||
| * as part of the main authorization dialog, the user is redirected | ||
| to the resource helper for scope selection | ||
| * the user is redirected back to the main authorization dialog with | ||
| a code | ||
| * this code gives access to the token info endpoint in the same way | ||
| it would give access to a token endpoint | ||
|
|
||
| The data returned from this scope info endpoint is a JSON document | ||
| representing an object containing the following fields: | ||
| * type [REQUIRED]: 'description' | ||
| * id [OPTIONAL]: string to be added into the scopes parameter | ||
| * label [REQUIRED]: string to be displayed to the resource owner in | ||
| the rest of the authorization dialog | ||
| * protocols [OPTIONAL]: similar to the protocols entry in an Open | ||
| Cloud Mesh share definition | ||
| * introspect [OPTIONAL]: additional info to pass to the Resource | ||
| server | ||
|
|
||
| The authorization server can also provide a scope info endpoint to | ||
| clients, but then the type field should be set to 'grant'. This | ||
| indicates that the resource helper only describes the scope, whereas | ||
| the authorization server gives out scoped access grants. | ||
| (moved to Google Docs) | ||
| https://docs.google.com/document/d/12vt-TC1ivaweqJVfnhi3ayxYYnEYsfGYx7gNjIwVu6w/edit?usp=sharing |