[OAUTH-WG] Validation of a refresh token
"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Wed, 13 July 2011 22:19 UTC
Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1B411E813F for <oauth@ietfa.amsl.com>; Wed, 13 Jul 2011 15:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDPN5+0388l9 for <oauth@ietfa.amsl.com>; Wed, 13 Jul 2011 15:19:53 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1C511E8082 for <oauth@ietf.org>; Wed, 13 Jul 2011 15:19:53 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id p6DMJpOZ027653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 13 Jul 2011 17:19:51 -0500 (CDT)
Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p6DMJoxF012373 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 13 Jul 2011 17:19:51 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.126]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Wed, 13 Jul 2011 17:19:50 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: 'OAuth WG' <oauth@ietf.org>
Date: Wed, 13 Jul 2011 17:19:49 -0500
Thread-Topic: Validation of a refresh token
Thread-Index: AcxBqvqzkcx538PDQPiVCHRdrdRHhw==
Message-ID: <5710F82C0E73B04FA559560098BF95B125087447E8@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Subject: [OAUTH-WG] Validation of a refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 22:19:54 -0000
There is a requirement in the core specification (Section "6 Refreshing an Access Token) that authorization server "MUST verify that the resource owner's authorization is still valid" when issuing an access token in exchange for a refresh token. How is such verification done (given that authorization server does not interact with the resource owner at this stage)? What exactly must be checked (e.g., a revocation list, expiration time, ...)? Zachary
- [OAUTH-WG] Validation of a refresh token Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Validation of a refresh token Eran Hammer-Lahav