Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Justin Richer <jricher@mitre.org> Fri, 17 May 2013 16:01 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E81D21F974C for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 09:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.128
X-Spam-Level:
X-Spam-Status: No, score=-6.128 tagged_above=-999 required=5 tests=[AWL=0.471, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAUENVBnzUdD for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 09:01:45 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE6B21F974A for <oauth@ietf.org>; Fri, 17 May 2013 09:01:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id EEA21226025E; Fri, 17 May 2013 12:01:39 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C8B6A2260229; Fri, 17 May 2013 12:01:34 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 17 May 2013 12:01:34 -0400
Message-ID: <51965446.2070404@mitre.org>
Date: Fri, 17 May 2013 12:01:10 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com>
In-Reply-To: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 16:01:50 -0000
The separation between these two is necessary: Not all clients have client_secret, and you want the lifecycle/management of the registration to be protected. This is what the registration access token was made for. In older versions of Connect's registration, the client_secret was forced on all clients in order to provide this, but then you had public clients with a client_secret that they couldn't use to get tokens, and it was a bad disconnect. The requirement for client secrets to expire or otherwise be rotated by the server came from several implementors in the Connect WG. There's an easy way to indicate that they don't expire, and a fairly straightforward way for them to be rotated (client does a GET on its client configuration endpoint url, with its registration access token as auth). -- Justin On 05/16/2013 05:35 PM, Phil Hunt wrote: > All, > > In the dynamic registration draft, a new token type is defined called the "registration access token". Its use is intended to facilitate clients being able to update their registration and obtain new client credentials over time. The client credential is issued on completion of the initial registration request by a particular client instance. > > It appears the need for the registration access token arises from the implied assertion that client credentials should expire. > --> Is anyone expiring client credentials? > > To date, we haven't had much discussion about client credential expiry. It leads me to the following questions: > > 1. Is there technical value with client credential/token expiry? Keep in mind that client credential is only used with the token endpoint over TLS connection. It is NOT used to access resources directly. > > 2. If yes, on what basis should client credential/token expire? > a. Time? > b. A change to the client software (e.g. version update)? > c. Some other reason? > > 3. Is it worth the complication to create a new token type (registration access token) just to allow clients to obtain new client tokens? Keep in mind that client tokens are only usable with the AS token endpoint. Why not instead use a client token for dyn reg and token endpoint with the rule that once a client token has expired (if they expire), an expired token may still be used at the registration end-point. > > 4. Are there other reasons for the registration token? > > Thanks, > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Client Credential Expiry and new Regis… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Mike Jones
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Donald F Coffin
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Mike Jones
- Re: [OAUTH-WG] Client Credential Expiry and new R… Donald F Coffin
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer