IETF Logo Mail Archive

[OAUTH-WG] What should happen to access tokens when the end user credentials change

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 06 August 2013 11:26 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F35DD21F9CBD for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 04:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHIiqO+qytRt for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 04:26:40 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 35BB821F9C72 for <oauth@ietf.org>; Tue, 6 Aug 2013 04:26:39 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id a12so241267wgh.30 for <oauth@ietf.org>; Tue, 06 Aug 2013 04:26:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=RP6E4wLsJ1YhKYL/tmOtJPf0bWc/XjzDddEk8s3L4Ms=; b=u1mcKhsXnNVYyFh0Np+4CBi8SFgPhVlU6iTtcPhECSDd4LmwSlCXNM3tmALZnRNWjl KPyjE5qV/AaqQmvlDV0Xa3HA2CLrihvw/0dpB4N0gzghYOiU13ryqQXjmjBk/BQi8eKT Trv8UN0JC0KdgpbDW11kUfl5PIh/g6U1FDaLUEAow40YjOVm81BthxFaxqYvmGNaLz08 t6/DC1Ta1xNUT57HQIKEZDcowDQbnD321nlZMH5yhg6Vwx+Uz1xU1pyewxMWoWGW5i2f jzAdbvJwREJ+GNiQ6BI0K61fsPcwnT2W1SI01O2EMTchth/PIqxHH3MtvSyzB7ukZMsj ubeQ==
X-Received: by 10.194.77.99 with SMTP id r3mr758110wjw.5.1375788399244; Tue, 06 Aug 2013 04:26:39 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id l5sm1576673wia.6.2013.08.06.04.26.37 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 04:26:38 -0700 (PDT)
Message-ID: <5200DD6C.3010003@gmail.com>
Date: Tue, 06 Aug 2013 12:26:36 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 11:26:41 -0000

Hi

Suppose a given user has approved a client's grant request and that 
client is now working with the access token tied to the user's login 
name (or some other representation of that user's login credentials).

What would be the recommended course of action when that user's 
credentials (example, the user's login name) change, as far as the 
existing access tokens tied to that user are concerned ?

I haven't seen anything specific in Security Considerations document.
Should the access tokens be simply refreshed internally, or invalidated, 
or is it nothing to do at all with OAuth2 (code flow), the fact the end 
user may change the login name ?

I wonder what the best practice is in this case

Thanks, Sergey

v2.23.0 | Report a Bug | By Email