Re: [OAUTH-WG] Another question on RFC 7009
George Fletcher <gffletch@aol.com> Fri, 07 February 2014 19:55 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 789B91ACCDF for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 11:55:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.324
X-Spam-Level:
X-Spam-Status: No, score=-2.324 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMvpgtM1yP9p for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 11:55:56 -0800 (PST)
Received: from omr-m03.mx.aol.com (omr-m03.mx.aol.com [64.12.143.77]) by ietfa.amsl.com (Postfix) with ESMTP id 779C11A01D2 for <oauth@ietf.org>; Fri, 7 Feb 2014 11:55:55 -0800 (PST)
Received: from mtaout-mbd01.mx.aol.com (mtaout-mbd01.mx.aol.com [172.26.252.13]) by omr-m03.mx.aol.com (Outbound Mail Relay) with ESMTP id 3D6DE7003623F; Fri, 7 Feb 2014 14:55:55 -0500 (EST)
Received: from [10.181.176.251] (unknown [10.181.176.251]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mbd01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id E3AC2380000BE; Fri, 7 Feb 2014 14:55:54 -0500 (EST)
Message-ID: <52F53A4A.7090600@aol.com>
Date: Fri, 07 Feb 2014 14:55:54 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>, Thomas Broyer <t.broyer@gmail.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com> <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com> <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com> <CA+k3eCR-7x1cb_h-mWqWVr66w+gUe7trNjX4JAHGNDcNbfubag@mail.gmail.com>
In-Reply-To: <CA+k3eCR-7x1cb_h-mWqWVr66w+gUe7trNjX4JAHGNDcNbfubag@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010108040302090304020507"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/96458
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1391802955; bh=ukTRjLDz4SOMfl2KibOpXzUSvK6+qclc4fEQHVGntQY=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=vpPQazdczNDk6v1NQPYl/IhodweBsmn1OEpfdwYb5GIICV54IetsLrAdsjas8xJPw 889NfW+Y6zAcrQbFeMu86dnnJOv1aQ1J14mRArk+iNNOiDe9RiO+lryH7kIaUI2TgR 0Wxm9LmW/kpkdKO9uw1J9/2MJqTnb5CRPeyhzlTU=
x-aol-sid: 3039ac1afc0d52f53a4a3f6a
X-AOL-IP: 10.181.176.251
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 19:55:58 -0000
+1 for this solution Is this something that could be clarified in errata as it appears we have three different providers with three different solutions:) Thanks, George On 2/7/14 2:43 PM, Brian Campbell wrote: > Thanks, Todd and Thomas, for the responses. After some internal > debate, I think we are going to treat it as an invalid token (which it > is in that context) and return a 200. > > > On Fri, Jan 31, 2014 at 11:19 AM, Thomas Broyer <t.broyer@gmail.com > <mailto:t.broyer@gmail.com>> wrote: > > FWIW, we return unauthorized_client. > > Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainhart@us.ibm.com > <mailto:lainhart@us.ibm.com>> a écrit : > > > ...what's the intended way that the "request is refused and > the client is informed of the error" when the the token was > not issued to the client making the revocation request? > > We return an error_code of "invalid_request" and an > appropriate error message. > > * > > > Todd Lainhart > Rational software > IBM Corporation > 550 King Street, Littleton, MA 01460-1250** > 1-978-899-4705 <tel:1-978-899-4705> > 2-276-4705 (T/L) > lainhart@us.ibm.com <mailto:lainhart@us.ibm.com>* > > > > > > > From: Brian Campbell <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> > To: oauth <oauth@ietf.org <mailto:oauth@ietf.org>>, > Date: 01/31/2014 11:58 AM > Subject: [OAUTH-WG] Another question on RFC 7009 > Sent by: "OAuth" <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> > ------------------------------------------------------------------------ > > > > Greetings WG, > > In section 2.1 of RFC 7009, it says: > > "The authorization server first validates the client > credentials (in > case of a confidential client) and then verifies whether > the token > was issued to the client making the revocation request. If this > validation fails, the request is refused and the client is > informed > of the error by the authorization server as described below." > > The only error described below is "unsupported_token_type" > which doesn't seem appropriate here. The errors in > _http://tools.ietf.org/html/rfc6749#section-5.2_are referenced > too and, while "invalid_client" seems right for failed client > authentication, what's the intended way that the "request is > refused and the client is informed of the error" when the the > token was not issued to the client making the revocation > request? None of the defined error codes seem to fit. > > Furthermore, wouldn't it be better to go ahead and just revoke > a token in the case it's presented by the wrong client? I seem > to recall some discussion around this when 7009 was just a > baby draft-ietf-oauth-revocation and, while I don't recall the > outcome, I was surprised to look at the RFC again and see the > text that is there. > > These questions came to me by way of a developer working on > implementing the RFC. I didn't have good answers, beyond the > prognostication herein, so I thought I'd take the questions to > the WG list and the document authors. > > Thanks for any clarification, > Brian > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell