Re: [OAUTH-WG] Refresh Tokens
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 12 August 2011 15:10 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 683BB21F8A55 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 08:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCa0ZPtxpGhv for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 08:10:15 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.29.8]) by ietfa.amsl.com (Postfix) with ESMTP id AA3BA21F8A4E for <oauth@ietf.org>; Fri, 12 Aug 2011 08:10:14 -0700 (PDT)
Received: from [80.67.16.112] (helo=webmail.df.eu) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QrtNp-00056B-I2 for oauth@ietf.org; Fri, 12 Aug 2011 17:10:49 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 12 Aug 2011 17:10:49 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: oauth@ietf.org
In-Reply-To: <CAC4RtVBSA1H_40nUVRnJD0_cwRQedJE13TTXNuCUx1QQud9wcQ@mail.gmail.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA698D45.17CCD%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com> <3CA3D010-E3C1-44A7-BC08-5FA3C83F305A@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A115@SN2PRD0302MB137.namprd03.prod.outlook.com> <90DA4C9C-83E1-4D78-BD6E-340084B4E912@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A1F6@SN2PRD0302MB137.namprd03.prod.outlook.com> <1313105180.20903.YahooMailNeo@web31803.mail.mud.yahoo.com> <D76A379A-A43F-4742-9488-D64FF2A931AE@hueniverse.com> <CA+5SmTWd0+s2=GbkPMDq1XQ+HBTcTCoX8mPwHmGhQGAcNahJNQ@mail.gmail.com> <CAC4RtVBSA1H_40nUVRnJD0_cwRQedJE13TTXNuCUx1QQud9wcQ@mail.gmail.com>
Message-ID: <88f4b10fcf44ac276be338f7eebd5634@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.5.2
X-Df-Sender: torsten@lodderstedt-online.de
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 15:10:15 -0000
OAuth allows a client to access user resources without revealing the resource owner's identity to the client. Isn't this anonymity? I consider this an important property of the protocol. regards, Torsten. On Thu, 11 Aug 2011 21:00:54 -0400, Barry Leiba wrote: > This seems to need a chair to step in. Tony is taking a strong stand > and maintaining it: > > On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin > <tonynad@microsoft.com> wrote: >> Nowhere in the specification is there explanation for refresh >> tokens, The >> reason that the Refresh token was introduced was for anonymity. The >> scenario >> is that a client asks the user for access. The user wants to grant >> the >> access but not tell the client the user's identity. By issuing the >> refresh >> token as an 'identifier' for the user (as well as other context data >> like >> the resource) it's possible now to let the client get access without >> revealing anything about the user. Recommend that the above >> explanation be >> included so developers understand why the refresh tokens are there. > > So far, though it's been only half a day, I've seen several posts > disagreeing with Tony, and none supporting any change to the text for > this. We're close to ending WGLC, so please post here if you agree > with Tony's suggested change. Otherwise, it looks like consensus is > against. > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Justin Richer
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Peter Saint-Andre
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens David Recordon
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Barry Leiba
- Re: [OAUTH-WG] Refresh Tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh Tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Igor Faynberg