Canonical SSO provider

It would be nice to be able to associate a "scope" with an SSO OAuth token

Bug #987730 reported by James Henstridge on 2012-04-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	New	Undecided	Unassigned

Bug Description

This bug probably counts as a wishlist for the next iteration of the SSO API rather than something that can be backported.

It would be nice if the SSO API allowed you to associate a scope with an OAuth token. The scope value could then be used by an application to decide whether it should accept a token. This way applications could create tokens without fear that if the token is compromised it could be used to attack unrelated services that talk to SSO.

Ubuntu One already does something like this when importing SSO tokens by calling authentications.list_tokens() and then discarding all tokens whose description does not start with "Ubuntu One @ ". If it could request all tokens matching a given scope, then it wouldn't have to depend on what is effectively a free text field. It might also be useful to let it ask for tokens matching a given prefix or pattern so it could handle tokens that grant access to only portions of the U1 API.

As far as the structure of the scope values, it would probably be worth staying compatible with OAuth 2:

http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-3.3

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.