Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07

Marius Scurtescu <mscurtescu@google.com> Fri, 26 April 2013 17:50 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C1B21F99CA for <apps-discuss@ietfa.amsl.com>; Fri, 26 Apr 2013 10:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.593
X-Spam-Level:
X-Spam-Status: No, score=-101.593 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2GVQyQq8rlr for <apps-discuss@ietfa.amsl.com>; Fri, 26 Apr 2013 10:50:24 -0700 (PDT)
Received: from mail-vc0-f181.google.com (mail-vc0-f181.google.com [209.85.220.181]) by ietfa.amsl.com (Postfix) with ESMTP id 1382D21F9993 for <apps-discuss@ietf.org>; Fri, 26 Apr 2013 10:50:23 -0700 (PDT)
Received: by mail-vc0-f181.google.com with SMTP id hr11so2676287vcb.40 for <apps-discuss@ietf.org>; Fri, 26 Apr 2013 10:50:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=97cxkLR08McFgdosdsQ0ZHack0S+YFXx6Yy532U2To4=; b=Uhaz4nc3/L0XZntIepTHaNTssdUoLwpTSrTUxXMsY4Bfr2G4vrImg+nx7l/owvNd8u orNzD2LRKrd8uHdjSSp3vT+7OEWyhVntZ4y35dz1375VE1pBTn5fiuNA0YCgC7p2fN8W XB2MQzpXV0ioi1QVxuJCtw3w7w35VGjYIXKnU4cL/91WYf4Sa9ftqM0PQQsOXBHKAuDZ NCdGi8o+UpwBuTro2rrX/Wo/3a/p0gC6fMS0Qn/jIXa2JV2sct7CgSqvQQZCXvwObX/9 dA37IJQhkQVO8BUcIWhzSAkanryogPUD1bfXl2zt68hAg9Pp3wKxKD9ePPols53l2jpa NE+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=97cxkLR08McFgdosdsQ0ZHack0S+YFXx6Yy532U2To4=; b=feRcJcAlovbCpzJKU3vIF9tUXBXTr2W7Ew0J+E8HI/Jc9uHrElkNYIvaIhNwhd3TR2 hY7eaoV+OPmDKdT+dtFAmIBlNmZW7shhGq7HOBtiYMB1Tlpr+lcVc+mKuxZUYBvY+LDB 0o/na7Slif2q04lPiw92kxY/PC4eZHxglbcqekXEt+HxHC3t/L2UYzZi/0lhaWlU6y40 Hy+3aW/JMkzUdy3Ba0PbifOyC7sb/1fms3uRhQEZY4mND4OMLZOKFtI4N+P9/5XpVIT7 aX2NlnlWl3Un6cwjFaoHMFCGj8CBoPjhZu57ZDXNRkCakSRg98/xlPzQ5CTYsWOuQvLs sETg==
X-Received: by 10.52.157.194 with SMTP id wo2mr25020889vdb.30.1366998623390; Fri, 26 Apr 2013 10:50:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.154.206 with HTTP; Fri, 26 Apr 2013 10:50:03 -0700 (PDT)
In-Reply-To: <EAA8FD66-1F5F-4A36-A1A2-677BD34AC102@lodderstedt.net>
References: <68113CC9-033D-4E61-8190-2D3B9CE92CB0@mnot.net> <77D6DF69-0715-485F-AF6E-D34D5990F5B1@lodderstedt.net> <2760360C-76A7-40D3-9B57-157FCA9A7A8A@gmail.com> <EAA8FD66-1F5F-4A36-A1A2-677BD34AC102@lodderstedt.net>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Fri, 26 Apr 2013 10:50:03 -0700
Message-ID: <CAGdjJpLxKBtUoCcmbwDyU0duvbEYqGg8ihyf8DGN0PfbM_SUhg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary=089e016338c05b4f4d04db472b98
X-Gm-Message-State: ALoCoQmhF98GGqTlHoprf7Mz+BgLvRDO1nRl5FWn+PaZO78IjJS6u69lX3hzzKjyJEo3D0W4g52KsMsyXXwHDcAHbgZWNrZaSsOyA5YeMwvjdrEd70ObZKk2mb0uHbOMP+dn+InhD6DE18TzNJe7brdcJFV9yQurPh5vAOZLPkWxv4JL5Tjx9z9kE7aK9BVbyE/L2Z6WBu4r
X-Mailman-Approved-At: Sat, 27 Apr 2013 08:04:05 -0700
Cc: "draft-ietf-oauth-revocation.all@tools.ietf.org" <draft-ietf-oauth-revocation.all@tools.ietf.org>, Mark Nottingham <mnot@mnot.net>, IESG IESG <iesg@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 17:50:26 -0000

On Wed, Apr 24, 2013 at 11:06 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi Dick,
>
>
>
> Am 24.04.2013 um 19:34 schrieb Dick Hardt <dick.hardt@gmail.com>om>:
>
> Hi Torsten
>
> Unlike RFC 6749 where the user is starting from documentation, OAuth
> Revocation is an extension to an existing protocol.
>
>
> I don't get your point. Revocation is an extension to the OAuth framework.
> Why is the situation any different from any other endpoint?
>
> FWIW: I agree with Mark that having the revocation URL be returned as an
> additional parameter in the access token request similar to how the refresh
> token is preferable.
>
>
I think discovery should be solved in general for OAuth 2, an ad hoc
solution for revocation does sound right. For example, when authorization
codes are returned the URL of the token endpoint is not returned. Returning
discovery information with every single response is an overkill IMO, but
the whole discussion should happen somewhere else.

Maybe tokens should have been URLs, but again, it is too late for that
discussion and this spec cannot enforce or require that.


Use of the  DELETE verb on the revocation URL is a great suggestion and
> makes the protocol more web like and straight forward.
>
>
> We discussed this and other alternative options a long time ago and the WG
> decided to go for the design described in the draft.
>
> Regards,
> Torsten.
>
> -- Dick
>
> On Apr 24, 2013, at 10:16 AM, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>
> Hi Mark,
>
> thanks for your feedback. I added my comments inline.
>
> Am 24.04.2013 um 02:07 schrieb Mark Nottingham <mnot@mnot.net>et>:
>
> I have been selected as the Applications Area Review Team reviewer for
> this draft (for background on apps-review, please see
> http://www.apps.ietf.org/content/applications-area-review-team).
>
> Please resolve these comments along with any other Last Call comments you
> may receive. Please wait for direction from your document shepherd or AD
> before posting a new version of the draft.
>
> Document: draft-ietf-oauth-revocation-07
> Title: Token Revocation
> Reviewer: Mark Nottingham
> Review Date: 24 April 2013
> IETF Last Call Date: 30 April 2013
> IESG Telechat Date: unknown
>
> Summary: This draft is has issues that should be fixed before publication.
>
> Major Issues:
>
> 1) Section 2 states that the means of discovering the revocation endpoint
> is out of scope of this specification, and that it can be achieved by
> consulting documentation.
>
> This is a poor design choice, at odds with the Web architecture, and fails
> to provide interoperability. A discovery mechanism should be specified.
>
>
>
> I'm surprised about your assessment. My draft is just an extension to RFC6749,
> which leaves discovery out of scope as well.
> In my opinion, how the clients gets to know the revocation URL is a domain
> or application specific aspect. I expect OAuth profiles, such as OpenID
> Connect, to define this.
>
>
> One way to do it would be to allow the revocation URI to be indicated at
> an earlier part of the OAuth interchange.
>
> Another (potentially simpler) to do it would be to assign a URI to the
> token itself, and allow a properly authorised client to DELETE that URI;
> this removes the need to specify a body format.
>
>
> And there are much more possible options, e.g. using WebFinger. But is
> their THE discovery mechanism?
>
>
> Minor Issues:
>
> 2) The specification title is too broad; "Token Revocation" could apply to
> many IETF technologies. Suggest "OAuth Token Revocation".
>
>
> I will change the title.
>
> Regards,
> Torsten.
>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>
>
>