[WG-UMA] Fwd: Scope thoughts

[Eve Maler]

Begin forwarded message:

From: Eve Maler <e...@xmlgrrl.com>

Date: 31 August 2010 10:58:59 AM PDT

To: Domenico Catalano <domenico...@oracle.com>

Cc: Christian Scholz <c...@comlounge.net>, Mario Hoffmann <mario.h...@sit.fraunhofer.de>, Maciej Machulak <maciej....@gmail.com>

Subject: Scope thoughts

Hi Domenico-- Here are some thoughts about scope that hopefully will get you thinking about the UX impact.  I've included a couple of other folks who I thought would have an interest in this.  (In fact, if you guys think this is good fodder, let me know and I can send it to the WG.)  My basic assumptions:

• A host, possibly with the user's explicit input while visiting the host, creates and maintains a list of possible scopes and conveys them to the AM "as often as necessary" (not worrying about that detail for now).
• An AM, possibly with the user's explicit input while visiting the AM, creates and maintains a list of possible policies and maps them to the various host-specific scopes.
• When a requester attempts to access a resource, the host tells it not only which AM to visit to get an access token, but also the relevant scope it should ask for at the AM (this scope info may need to be protected "somehow"; not worrying about it for now).  Thus, the AM doesn't have to worry about "scope precedence" and can readily map the request to the right policy; the logic for precedence/priority and whether to expose users to this logic is up to a host to decide.
• Scopes have a machine-readable name (simple string that can be used in OAuth scope parameters) and a display name (something a user might see/set in the UX).

So here are some use cases that illustrate interesting scopes:

Host is Twitter or similar status update service:

It doesn't give the user any options to set scopes; it has built-in scopes that are bound to the nature of the API it exposes.  It tells the AM that it has the following scopes available:

read Ability to read status updates

readwrite Ability to read and write status updates

Host is FireEagle or similar location service:

The host has an API, so this case is much like the Twitter one, but since the scenario writeup for this includes a screenshot of FireEagle's actual "What can it [the requesting service] do?" display, I thought I should think through what this might look like.

readdetailed Ability to see your precise location

readcity Ability to see your location at the city level

readcontinent Ability to see your location at the continent level [I'm having a bit of fun here :-) ]

write Ability to set your location

Host is Flickr or similar photo service:

The host gives the user lots of opportunities to create sets (albums) and even higher-order groupings, to tag photos, and the like, and it also has Flickr-predefined tags that let users apply administrative functions related to access control. The groupings and tags are exposed as scopes for read access, and there are also "internal" Flickr-defined scopes for other functions inherent to the service.

Let's say a particular user creates an album for "Hawaii Vacation 2010" and tags all of the photos in that album, plus some other photos not in that album, with "Waikiki"; the user also tags a bunch of photos with "dog" because their new puppy is in the photo, and yet another bunch of photos with the Flickr-predefined keyword "Flickr-family".

The host's predefined keywords include "Flickr-private", "Flickr-family", and "Flickr-friends", where the latter two are useful for ACL-type functionality (when bound to policies at the AM) rather than being attached to photos in photostreams the way tags usually are.  (This kind of tagging reminds me a bit of the #in and #fb hashtags, which LinkedIn and Facebook let users use to indicate particular tweets that should be rebroadcast.)

If the user marks any individual photo for precise access control, the host creates a unique scope for it. (Can we assume that if the user is visiting the AM and wants to do some photo management for access control purposes, the AM will redirect her to the host?)

The host tells the AM that it has the following scopes available:

Hawaii%20Vacation%202010 Photos in the "Hawaii Vacation 2010" album

Waikiki Set of photos tagged with "Waikiki"

dog Set of photos tagged with "dog"

Flickr-private Set of all of your Flickr photos meant to be private

Flickr-family Set of all of your Flickr photos meant for family to see

Flickr-friends Set of all of your Flickr photos meant for friends to see

admin-add Ability to add photos

admin-edit Ability to edit photos [Assumes this hypothetical Flickr can let people change the internals of photos]

admin-print Ability to print photos

http://flickr.com/photos/xmlgrrl/12345678 Photo #12345678 (title of photo goes here)

Even if this user hasn't happened to tag any of their photos with some of the predefined keywords yet, they can do so later at the host and have those photos be automatically protected by whatever policy was attached to that scope.

It could be entirely internal to the host's functionality to help a user set up a "printing batch" for one-time access by a third-party printing service, interpreting those as being in the admin-print scope at a certain point when the user authorizes a printing service through her AM to get to those photos.

Please let me know what you think!

Eve

Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler

Eve Maler

http://www.xmlgrrl.com/blog

http://www.twitter.com/xmlgrrl

http://www.linkedin.com/in/evemaler