Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07

Dick Hardt <dick.hardt@gmail.com> Wed, 24 April 2013 17:34 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E5321F8793; Wed, 24 Apr 2013 10:34:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.714
X-Spam-Level:
X-Spam-Status: No, score=-2.714 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10ufuQT40ixO; Wed, 24 Apr 2013 10:34:53 -0700 (PDT)
Received: from mail-pa0-f47.google.com (mail-pa0-f47.google.com [209.85.220.47]) by ietfa.amsl.com (Postfix) with ESMTP id B03D321F877B; Wed, 24 Apr 2013 10:34:53 -0700 (PDT)
Received: by mail-pa0-f47.google.com with SMTP id bj1so1333235pad.34 for <multiple recipients>; Wed, 24 Apr 2013 10:34:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer; bh=8WPJejxm2w6U/hSCRPiDI/z44yzJx08POKpsyBtq3sk=; b=jmQs+6wqJwxoIxyl9VybAF0sAQoFx1l+dOwJPfVFziaRsU9Kp9i+ZUb4T8CVz46uTl uvEwzDj+/uIjfHaAYM/KA+jJDfQkKgiBEBlvlH4yvqq3bBuaGZlDC6YQe1ErBnpEZvaa NNNvK8+yReSTB3Ny4B1GoVCMego3Dpk7LVYvI1hZB6DNymjbASq/Fwb/emSXkjCgLI9m FEstz7urS8A+4zdoe1PHG6qhY3KNDcSOW26xD0tkuSssCdu5ZacCwrQkt1U/S3wHhHjy kh40te0bsKWIx5ouOHosEfCh6ofx6RpEiEH+f0PiKFE7kzHl5VSVz6NTF+FrBgzjdBt7 oQ+w==
X-Received: by 10.66.235.3 with SMTP id ui3mr24637242pac.200.1366824893527; Wed, 24 Apr 2013 10:34:53 -0700 (PDT)
Received: from [10.0.0.58] (c-98-210-193-30.hsd1.ca.comcast.net. [98.210.193.30]) by mx.google.com with ESMTPSA id dr4sm3820761pbb.19.2013.04.24.10.34.50 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Apr 2013 10:34:51 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_0DC6BD84-288B-4AF5-AAB0-0B084047AD57"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <77D6DF69-0715-485F-AF6E-D34D5990F5B1@lodderstedt.net>
Date: Wed, 24 Apr 2013 10:34:48 -0700
Message-Id: <2760360C-76A7-40D3-9B57-157FCA9A7A8A@gmail.com>
References: <68113CC9-033D-4E61-8190-2D3B9CE92CB0@mnot.net> <77D6DF69-0715-485F-AF6E-D34D5990F5B1@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1503)
Cc: draft-ietf-oauth-revocation.all@tools.ietf.org, Mark Nottingham <mnot@mnot.net>, IESG IESG <iesg@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 17:34:54 -0000

Hi Torsten

Unlike RFC 6749 where the user is starting from documentation, OAuth Revocation is an extension to an existing protocol.

FWIW: I agree with Mark that having the revocation URL be returned as an additional parameter in the access token request similar to how the refresh token is preferable.

Use of the  DELETE verb on the revocation URL is a great suggestion and makes the protocol more web like and straight forward.

-- Dick

On Apr 24, 2013, at 10:16 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

> Hi Mark,
> 
> thanks for your feedback. I added my comments inline.
> 
> Am 24.04.2013 um 02:07 schrieb Mark Nottingham <mnot@mnot.net>et>:
> 
>> I have been selected as the Applications Area Review Team reviewer for this draft (for background on apps-review, please see http://www.apps.ietf.org/content/applications-area-review-team).
>> 
>> Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft.
>> 
>> Document: draft-ietf-oauth-revocation-07
>> Title: Token Revocation
>> Reviewer: Mark Nottingham
>> Review Date: 24 April 2013
>> IETF Last Call Date: 30 April 2013
>> IESG Telechat Date: unknown
>> 
>> Summary: This draft is has issues that should be fixed before publication.
>> 
>> Major Issues:
>> 
>> 1) Section 2 states that the means of discovering the revocation endpoint is out of scope of this specification, and that it can be achieved by consulting documentation. 
>> 
>> This is a poor design choice, at odds with the Web architecture, and fails to provide interoperability. A discovery mechanism should be specified.
> 
> 
> I'm surprised about your assessment. My draft is just an extension to RFC6749, which leaves discovery out of scope as well. 
> In my opinion, how the clients gets to know the revocation URL is a domain or application specific aspect. I expect OAuth profiles, such as OpenID Connect, to define this.
> 
>> 
>> One way to do it would be to allow the revocation URI to be indicated at an earlier part of the OAuth interchange. 
>> 
>> Another (potentially simpler) to do it would be to assign a URI to the token itself, and allow a properly authorised client to DELETE that URI; this removes the need to specify a body format.
> 
> And there are much more possible options, e.g. using WebFinger. But is their THE discovery mechanism?
>> 
>> Minor Issues:
>> 
>> 2) The specification title is too broad; "Token Revocation" could apply to many IETF technologies. Suggest "OAuth Token Revocation".
>> 
> 
> I will change the title.
> 
> Regards,
> Torsten.
> 
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss