Network Working Group C. Bunch Internet-Draft Emerald Groupware Project Intended status: Experimental 19 July 2025 Expires: 20 January 2026 Standardized OAuth 2.0 Scopes for Mail, Calendar, and Contact Access draft-bunch-groupware-scopes-00 Abstract The OAuth 2.0 authorization framework is widely used to provide clients with delegated access to user data. However, the core specification, The OAuth 2.0 Authorization Framework, leaves the definition of access scopes to individual service providers. This has led to a fragmented ecosystem for common groupware services (Mail, Calendaring, Contacts), where each provider uses proprietary, non-interoperable scope identifiers. Client applications, such as desktop mail clients, are forced to hardcode configurations for a small number of large providers, stifling innovation and harming open ecosystems. This document proposes a standardized set of scope values, using the IETF-controlled URN namespace, to represent granular and aggregate permissions for common mail (IMAP/POP/SMTP/JMAP), calendar (CalDAV), and contact (CardDAV) operations. Adopting these standard scopes would significantly improve interoperability between clients and servers, enabling automatic client configuration and a more seamless user experience. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 20 January 2026. Bunch Expires 20 January 2026 [Page 1] Internet-Draft OAuth Groupware Scopes July 2025 Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Proposed Groupware Scopes . . . . . . . . . . . . . . . . . . 3 2.1. Mail Scopes . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Calendar Scopes . . . . . . . . . . . . . . . . . . . . . 4 2.3. Contacts Scopes . . . . . . . . . . . . . . . . . . . . . 4 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4.1. OAuth Scope Registry . . . . . . . . . . . . . . . . . . 5 4.1.1. Registration of the 'urn:ietf:params:oauth:scope:mail:read' Scope . . . . 5 4.1.2. Registration of the 'urn:ietf:params:oauth:scope:mail:send' Scope . . . . 5 4.1.3. Registration of the 'urn:ietf:params:oauth:scope:mail:modify' Scope . . . 6 4.1.4. Registration of the 'urn:ietf:params:oauth:scope:mail' Scope . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.5. Registration of the 'urn:ietf:params:oauth:scope:calendar:freebusy' Scope . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.6. Registration of the 'urn:ietf:params:oauth:scope:calendar:read' Scope . . 6 4.1.7. Registration of the 'urn:ietf:params:oauth:scope:calendar:update' Scope . 7 4.1.8. Registration of the 'urn:ietf:params:oauth:scope:calendar' Scope . . . . 7 4.1.9. Registration of the 'urn:ietf:params:oauth:scope:contacts:read' Scope . . 7 4.1.10. Registration of the 'urn:ietf:params:oauth:scope:contacts:update' Scope . 7 4.1.11. Registration of the 'urn:ietf:params:oauth:scope:contacts' Scope . . . . 8 Bunch Expires 20 January 2026 [Page 2] Internet-Draft OAuth Groupware Scopes July 2025 5. Normative References . . . . . . . . . . . . . . . . . . . . 8 6. Informative References . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The OAuth 2.0 Authorization Framework [RFC6749] defines the "scope" parameter as a mechanism for limiting an application's access to a user's account. While effective, the lack of standardized scope values for fundamental internet services like email and calendaring has led to a situation where every major provider (Google, Microsoft, etc.) has defined their own proprietary scope URIs. This forces client implementers to create and maintain a hardcoded list of provider-specific configurations, creating a high barrier to entry for new service providers and preventing seamless discovery and configuration for end-users. A user of a new groupware server, for example, cannot expect their favorite desktop client to "just work." This document aims to rectify this by defining a set of common, interoperable scopes for groupware functions. These scopes are intended to be published by Authorization Servers in their metadata documents as defined in [RFC8414], allowing clients to discover them and request appropriate permissions dynamically. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Proposed Groupware Scopes This specification proposes the following scope values. They are defined within the urn:ietf:params:oauth:scope namespace, which is the appropriate registry for IETF-defined OAuth parameters. 2.1. Mail Scopes These scopes are intended to grant access to a user's mailbox via protocols such as IMAP [RFC9051], POP3 [RFC1939], or JMAP [RFC8620] [RFC8621], and to send mail via SMTP SUBMIT [RFC6409]. urn:ietf:params:oauth:scope:mail:read Grants read-only access to the Bunch Expires 20 January 2026 [Page 3] Internet-Draft OAuth Groupware Scopes July 2025 user's email. This includes listing mailboxes, fetching messages and headers, and searching. It MUST NOT grant permission to modify or delete messages. urn:ietf:params:oauth:scope:mail:send Grants permission to send email on the user's behalf. This typically applies to SMTP SUBMIT or the JMAP equivalent. urn:ietf:params:oauth:scope:mail:modify Grants permission to modify and delete email. This includes actions such as setting flags (e.g., \Seen), moving messages between mailboxes, and expunging messages. urn:ietf:params:oauth:scope:mail An aggregate scope. Granting this scope MUST be considered equivalent to granting mail:read, mail:send, and mail:modify simultaneously. Clients needing full access SHOULD request this scope for simplicity. 2.2. Calendar Scopes These scopes are intended to grant access to a user's calendar data, typically via the CalDAV protocol [RFC4791] or a JMAP-for-Calendars equivalent. urn:ietf:params:oauth:scope:calendar:freebusy Grants read-only access to a user's availability information (free/busy times). This scope MUST NOT grant access to sensitive event details such as summary, description, location, or attendees. urn:ietf:params:oauth:scope:calendar:read Grants read-only access to the user's calendars and the full details of all events. This scope implies the permissions of calendar:freebusy. urn:ietf:params:oauth:scope:calendar:update Grants permission to create, modify, and delete calendars and events on the user's behalf. urn:ietf:params:oauth:scope:calendar An aggregate scope. Granting this scope MUST be considered equivalent to granting calendar:freebusy, calendar:read, and calendar:update simultaneously. 2.3. Contacts Scopes These scopes are intended to grant access to a user's address book data, typically via the CardDAV protocol [RFC6352] or a JMAP-for- Contacts equivalent. urn:ietf:params:oauth:scope:contacts:read Grants read-only access to the user's address books and contacts. urn:ietf:params:oauth:scope:contacts:update Grants permission to create, modify, and delete address books and contacts on the user's behalf. urn:ietf:params:oauth:scope:contacts An aggregate scope. Granting Bunch Expires 20 January 2026 [Page 4] Internet-Draft OAuth Groupware Scopes July 2025 this scope MUST be considered equivalent to granting contacts:read and contacts:update simultaneously. 3. Security Considerations The principle of least privilege SHOULD be followed. A client application SHOULD request the most granular scope necessary for its function. For example, a scheduling assistant application that only needs to find open time slots should only request urn:ietf:params:oauth:scope:calendar:freebusy. Authorization servers MUST validate requested scopes and MUST NOT issue access tokens containing scopes that the user has not explicitly authorized for the client. The interpretation and enforcement of these scopes is the responsibility of the Resource Server (e.g., the IMAP or CalDAV server). 4. IANA Considerations This document requests the registration of eleven new values in the "OAuth Scope Registry" under the "OAuth Parameters" registry. 4.1. OAuth Scope Registry The following scopes are to be registered. 4.1.1. Registration of the 'urn:ietf:params:oauth:scope:mail:read' Scope Name: urn:ietf:params:oauth:scope:mail:read Description: Grants read-only access to a user's email. Change Controller: IETF Reference: This document. 4.1.2. Registration of the 'urn:ietf:params:oauth:scope:mail:send' Scope Name: urn:ietf:params:oauth:scope:mail:send Description: Grants permission to send email on a user's behalf. Change Controller: IETF Reference: This document. Bunch Expires 20 January 2026 [Page 5] Internet-Draft OAuth Groupware Scopes July 2025 4.1.3. Registration of the 'urn:ietf:params:oauth:scope:mail:modify' Scope Name: urn:ietf:params:oauth:scope:mail:modify Description: Grants permission to modify and delete email in a user's mailbox. Change Controller: IETF Reference: This document. 4.1.4. Registration of the 'urn:ietf:params:oauth:scope:mail' Scope Name: urn:ietf:params:oauth:scope:mail Description: Aggregate scope for full read, send, and modify access to email. Change Controller: IETF Reference: This document. 4.1.5. Registration of the 'urn:ietf:params:oauth:scope:calendar:freebusy' Scope Name: urn:ietf:params:oauth:scope:calendar:freebusy Description: Grants read-only access to a user's availability (free/ busy) information. Change Controller: IETF Reference: This document. 4.1.6. Registration of the 'urn:ietf:params:oauth:scope:calendar:read' Scope Name: urn:ietf:params:oauth:scope:calendar:read Description: Grants read-only access to full calendar and event details. Change Controller: IETF Reference: This document. Bunch Expires 20 January 2026 [Page 6] Internet-Draft OAuth Groupware Scopes July 2025 4.1.7. Registration of the 'urn:ietf:params:oauth:scope:calendar:update' Scope Name: urn:ietf:params:oauth:scope:calendar:update Description: Grants permission to create, modify, and delete calendar data. Change Controller: IETF Reference: This document. 4.1.8. Registration of the 'urn:ietf:params:oauth:scope:calendar' Scope Name: urn:ietf:params:oauth:scope:calendar Description: Aggregate scope for full read and update access to calendar data. Change Controller: IETF Reference: This document. 4.1.9. Registration of the 'urn:ietf:params:oauth:scope:contacts:read' Scope Name: urn:ietf:params:oauth:scope:contacts:read Description: Grants read-only access to a user's contact data. Change Controller: IETF Reference: This document. 4.1.10. Registration of the 'urn:ietf:params:oauth:scope:contacts:update' Scope Name: urn:ietf:params:oauth:scope:contacts:update Description: Grants permission to create, modify, and delete contact data. Change Controller: IETF Reference: This document. Bunch Expires 20 January 2026 [Page 7] Internet-Draft OAuth Groupware Scopes July 2025 4.1.11. Registration of the 'urn:ietf:params:oauth:scope:contacts' Scope Name: urn:ietf:params:oauth:scope:contacts Description: Aggregate scope for full read and update access to contact data. Change Controller: IETF Reference: This document. 5. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, June 2018, . 6. Informative References [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, . [RFC4791] Daboo, C., Desruisseaux, B., and L. Dusseault, "Calendaring Extensions to WebDAV (CalDAV)", RFC 4791, DOI 10.17487/RFC4791, March 2007, . [RFC6352] Daboo, C., "CardDAV: vCard Extensions to Web Distributed Authoring and Versioning (WebDAV)", RFC 6352, DOI 10.17487/RFC6352, August 2011, . Bunch Expires 20 January 2026 [Page 8] Internet-Draft OAuth Groupware Scopes July 2025 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011, . [RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July 2019, . [RFC8621] Jenkins, N. and C. Newman, "The JSON Meta Application Protocol (JMAP) for Mail", RFC 8621, DOI 10.17487/RFC8621, August 2019, . [RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message Access Protocol (IMAP) - Version 4rev2", RFC 9051, DOI 10.17487/RFC9051, August 2021, . Author's Address Clinton Bunch Emerald Groupware Project Email: cdbunch@emeraldgroupware.org Bunch Expires 20 January 2026 [Page 9]