Re: [OAUTH-WG] Multiple access tokens
Ross Boucher <rboucher@gmail.com> Thu, 08 March 2012 23:15 UTC
Return-Path: <rboucher@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7BD321F85B1 for <oauth@ietfa.amsl.com>; Thu, 8 Mar 2012 15:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cw0TYC2G3lFJ for <oauth@ietfa.amsl.com>; Thu, 8 Mar 2012 15:15:45 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id BBA9721F85AF for <oauth@ietf.org>; Thu, 8 Mar 2012 15:15:42 -0800 (PST)
Received: by iazz13 with SMTP id z13so1501512iaz.31 for <oauth@ietf.org>; Thu, 08 Mar 2012 15:15:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=0XmdxrOpesVnTZ9P5ACGJldrFmLw4PiItAqKh0kUghw=; b=sX7C41SxlLviokgmYwp5jMBYzFpYjU0INeeCrE45TxOwzEo12qH5wLv7gOP1jDewPl YHFHLfZIHDvpNuxH3ru5xCBbQ5V0uxshw9C4R6tOkdlGnWw23HGd+pt/Dtnf1bb4F41q 9A6iwD+voHGmJZW4sSkdbVIoBIbwahwvJhfgYAm4TBSTlO2Cj5QiEM8IHkzzg7Tw++So wJCuDxnjQssuGQXy3hUZ3ymbrufAXOzYECasfsP6yK5J1Ao+kP4AR7FryQribF4YQIjk IbHVwb4rAgUK1aIZott5p76kqyKXLTkjqIfRKNpx8RYT9l8kkRKFZVyrarQ4+w1s3S2i iSoA==
Received: by 10.50.154.130 with SMTP id vo2mr19966783igb.34.1331248542486; Thu, 08 Mar 2012 15:15:42 -0800 (PST)
Received: from ip-192-168-1-92.us-west-1.compute.internal (sf-84.stripe.com. [173.247.202.84]) by mx.google.com with ESMTPS id cw5sm36945igc.17.2012.03.08.15.15.40 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Mar 2012 15:15:41 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_7047F5B3-B744-4693-B260-FA8DAF845893"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Ross Boucher <rboucher@gmail.com>
In-Reply-To: <1331190726.92627.YahooMailNeo@web31805.mail.mud.yahoo.com>
Date: Thu, 08 Mar 2012 15:15:39 -0800
Message-Id: <4CDF0B28-5927-4584-8CAB-98ECCCD42843@gmail.com>
References: <FF6EB619-5D3E-4B94-A322-D64BD596E015@gmail.com> <1331190726.92627.YahooMailNeo@web31805.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1257)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Multiple access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 23:15:47 -0000
If the refresh token is revoked, the client application would seem to have no way to gain access to the third party resource again except through another explicit user generated authentication. Is that correct? On some level this may be desirable, since a compromised auth code also implies that whatever out of band authentication method is being used by the client has also been compromised. But then that would be true for all refresh tokens ever issued, rather than just ones stemming from the "poisoned" auth code. (Also, worth noting that I wasn't talking about user revocation, which definitely should revoke the refresh token). On Mar 7, 2012, at 11:12 PM, William Mills wrote: > You might want to put issuance time and other info in an access token. The spec is silent on your first question. > > On revocation: One of the reasons for short lived access tokens is to only revoke the refresh token, which has to be presented at a central server type rather than trying to extend revocation to all protected resources. So if you're in that model you would not bother revoking the access token. > > The use case I can see for invalidating access tokens and still honoring refresh tokens is the case where you might have had the access token symmetric secret compromised but not the refresh token secret. That's not really user revocation though. I don't se an actual user revocation of access that would not potentially kill both tokens and always kill the refresh token. > > > > > > > ----- Original Message ----- > From: Ross Boucher <rboucher@gmail.com> > To: OAuth WG <oauth@ietf.org> > Cc: > Sent: Wednesday, March 7, 2012 6:14 PM > Subject: [OAUTH-WG] Multiple access tokens > > The spec doesn't seem to have any recommendations on this point, but should an OAuth v2 API always return the same access token if the same client makes multiple requests? Is there any benefit to not generating a new access token for each request? Similarly, if you do generate new access tokens (as I am doing now), should you also generate new refresh tokens? > > An unrelated question about revoking access tokens when the same authorization code is used more than once: should refresh tokens also be revoked? And, if so, should any tokens issued with that refresh token then also be revoked? It seems simpler (if slightly less correct) to just revoke all access tokens for that specific client/resource pair in that case, rather than tracking the ancestry of all tokens. > > Thanks, > Ross > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Multiple access tokens Ross Boucher
- Re: [OAUTH-WG] Multiple access tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Multiple access tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Multiple access tokens William Mills
- Re: [OAUTH-WG] Multiple access tokens Ross Boucher