On issue 2, Russ has already entered his ballot on the base spec so I'll
pick this one up.
spt
On 4/10/12 8:25 PM, Mike Jones wrote:
Hi Alexey,
About your issue 1: The OAuth Core spec, where "scope" is primarily defined, includes
the sentence "The [scope] strings are defined by the authorization server" (see
http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-3.3). I could add that clarification to
the Bearer spec as well to make it clear that the scope values are context-dependent, if that would
address your concern.
About your issue 2: Investigating the OAuth Errors Registry a bit further (see
http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-11.4.1) while I'd like to be able to
register the OAuth Bearer errors in this registry, what I believe to be a defect in the errors
registry text currently prevents this. Specifically, the registry enumerates only three
"Error usage location" values: authorization code grant error response, implicit grant
error response, and token error response. To be able to use this registry, it would also have to
have a fourth usage location: "resource access error response". If you'd like to file
an issue against the OAuth Core spec to get this additional usage location added to the registry,
then I'd be glad to use it. I believe that this would be significantly preferable to adding a
separate OAuth Bearer errors registry that's exactly like the general-purpose one, only separate
from it.
Best wishes,
-- Mike
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Alexey Melnikov
Sent: Tuesday, April 10, 2012 7:03 AM
To: draft-ietf-oauth-v2-bearer....@tools.ietf.org
Cc: General Area Review Team; oa...@ietf.org; The IESG
Subject: [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please
see the FAQ at<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments you may
receive.
Document: draft-ietf-oauth-v2-bearer-18.txt
Reviewer: Alexey Melnikov
Review Date: 10 April 2012
IETF LC End Date: 7 Feb 2012
IESG Telechat date: 12 April 2012
Summary: Nearly ready to be published as Proposed Standard, with a couple of
things that should be addressed or at least discussed.
Thank you for addressing most of my other issues. However there are a couple
remaining which I think are important.
Major Issues:
1).
The "scope" attribute is a space-delimited list of scope values
indicating the required scope of the access token for accessing the
requested resource. In some cases, the "scope" value will be used
when requesting a new access token with sufficient scope of access to
utilize the protected resource. The "scope" attribute MUST NOT
appear more than once. The "scope" value is intended for
programmatic use and is not meant to be displayed to end users.
I don't think this provide enough information about what this is, how it is to
be used and which values are allowed. As this is not meant to be displayed to
end users, then you need to say what values are allowed and which entity can
allocate them. Is there a registry for these tokens, e.g. an IANA registry?
The editor provided explanation in email, however this was not reflected in any
version of the draft.
2). Section "3.1. Error Codes"
I've suggested to use an IANA registry for this field. Apparently there is already a
registry created
by<http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-11.4>.
However this document doesn't register values defined in section 3.1 with IANA
and doesn't point to draft-ietf-oauth-v2-23 for the registry.
I find this to be very confusing.
Minor issues: none
Nits: none
_______________________________________________
OAuth mailing list
oa...@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art
