Tuesday, May 18, 2010

oauth 2.0 scope is the new black

David's openid connect proposal uses oauth2.0 to get an access token to access the user's info API.
Openid connect does not define a new flow for oauth but uses a scope with value "openid" to signify that this kind of access token is requested.

What I am missing here is that there is no way for the client to specify which of the user's information it wants to access. The users might choose to release only a subset of their information at oauth-approval-time but they have no way to know what the client is requesting. I fear that the authorization server suggests to give away all user data and that the user will grant that access.

A quote from the openid connect proposal: "The (user info) server is free to add additional data to this response (such as Portable Contacts) so long as they do not change the reserved OpenID Connect keys."

This is the Facebook notion of privacy to give everything away by default.
I don't like that.

Even if the client does not want the data it now has access to it.

I am intentionally not suggesting a different proposal or new values for scope. But what I am thinking about here is probably obvious given the background I am coming from.


David Recordon said...

I would actually love a concrete proposal for how to best make use of scopes in relation to profile information.

Axel Nennker said...

I think the easiest thing is to add the requested attributes to the scope like: "first_name last_name openid email". I am not sure whether this is an abuse of the scope parameter. Maybe, but we have to work with what we have in oauth. Another thing that I think that is desirable is the notion of required and optional attributes. But things are already complicated enough.