Re: [Ace] Overwriting Tokens

> -----Original Message-----
> From: Ace <ace-bounces@ietf.org> On Behalf Of Stefanie Gerdes
> Sent: Wednesday, December 12, 2018 2:17 AM
> To: ace@ietf.org
> Subject: Re: [Ace] Overwriting Tokens
> 
> Hi Ludwig,
> 
> On 12/12/2018 11:05 AM, Ludwig Seitz wrote:
> > On 12/12/2018 10:33, Stefanie Gerdes wrote:
> >> Hi again,
> >>
> >> I have one additional comment to ace-oauth-17:
> >>
> >> Section 5.8.1 recommends that RS stores only one token per key and
> >> that existing tokens are overwritten by new tokens. I wonder how the
> >> RS knows which token is the most recent. I don't think the expiration
> >> time helps in this case because it should be possible for the AS to
> >> provide a token that expires earlier than the previous token.
> >>
> >>
> >> Viele Grüße
> >> Steffi
> >>
> >
> > "Recent" here is meant as "most recently received". That is something
> > the RS definitely can track.
> 
> The token most recently received by RS is not necessarily the newest.
> A client may (accidentally or not) send the older token later than the
newer
> token.

And as you stated above, the older token may have a longer expiration than
the newer because of a different set of permissions.  I think that having
the RS use the most recently received token is probably the best strategy
for an RS that I only going to keep one token.   The client will know which
token is tagged to what original request if it is keeping more than one
token itself.  If it is must immediately posting tokens as it goes along,
then the AS could provide an older, but still valid, token on the next
request.

Jim

> 
> Viele Grüße
> Steffi
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace