IETF Logo Mail Archive

Re: [OAUTH-WG] Access Token Response without expires_in

"Richer, Justin P." <jricher@mitre.org> Tue, 17 January 2012 19:01 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9180811E80B0 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 11:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPU6-Q4ICz+m for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 11:01:03 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 8525A11E80A6 for <oauth@ietf.org>; Tue, 17 Jan 2012 11:01:03 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 91D1421B17A5; Tue, 17 Jan 2012 14:01:00 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 19CE521B17B9; Tue, 17 Jan 2012 14:01:00 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.158]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.01.0339.001; Tue, 17 Jan 2012 14:00:59 -0500
From: "Richer, Justin P." <jricher@mitre.org>
To: Paul Madsen <paul.madsen@gmail.com>, William Mills <wmills@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] Access Token Response without expires_in
Thread-Index: AczUf8kvUkdgy1nHSGOm5KixWQExDAAclWSAABTAkIAAB5GZAAAB8M4A//++MJ8=
Date: Tue, 17 Jan 2012 19:00:59 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E09EC9C@IMCMBX01.MITRE.ORG>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <4F157659.7050701@gmail.com> <1326819620.50670.YahooMailNeo@web31804.mail.mud.yahoo.com>, <4F15B62A.5070001@gmail.com>
In-Reply-To: <4F15B62A.5070001@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.83.31.52]
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E09EC9CIMCMBX01MITREORG_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 19:01:04 -0000

Scope is a lot closer to authzcontext in concept than authncontext, since OAuth is out of the authn game.

 -- Justin

________________________________
From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of Paul Madsen [paul.madsen@gmail.com]
Sent: Tuesday, January 17, 2012 12:55 PM
To: William Mills
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Access Token Response without expires_in

scope sometimes feels like SAML authncontext - anything can go in there :-)

as I said to Torsten, perhaps an extension is overkill. Just looking for a best practice

On 1/17/12 12:00 PM, William Mills wrote:
Does this require an extension?  That seems something easy to overload on scope.

________________________________
From: Paul Madsen <paul.madsen@gmail.com><mailto:paul.madsen@gmail.com>
To: "Richer, Justin P." <jricher@mitre.org><mailto:jricher@mitre.org>
Cc: OAuth WG <oauth@ietf.org><mailto:oauth@ietf.org>
Sent: Tuesday, January 17, 2012 5:23 AM
Subject: Re: [OAUTH-WG] Access Token Response without expires_in

Separate from the question posed here, we are seeing customer demand for one-time semantics, but agree with Justin that this would best belong in a dedicated extension parameter and not the default

paul

On 1/16/12 10:29 PM, Richer, Justin P. wrote:

I think #3.

#1 will be a common instance, and #2 (or its variant, a limited number of uses) is a different expiration pattern than time that would want to have its own expiration parameter name. I haven't seen enough concrete use of this pattern to warrant its own extension though.

Which is why I vote #3 - it's a configuration issue. Perhaps we should rather say that the AS "SHOULD document the token behavior in the absence of this parameter, which may include the token not expiring until explicitly revoked, expiring after a set number of uses, or other expiration behavior." That's a lot of words here though.

 -- Justin

On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote:



A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are:

1. Does not expire (but can be revoked)
2. Single use token
3. Defaults to whatever the authorization server decides and until revoked

#3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus.

EHL


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email