Re: [OAUTH-WG] I-D on token revocation submitted
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 12 September 2010 10:14 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E157C3A6848 for <oauth@core3.amsl.com>; Sun, 12 Sep 2010 03:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYA0Le4TWTd5 for <oauth@core3.amsl.com>; Sun, 12 Sep 2010 03:14:52 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) by core3.amsl.com (Postfix) with ESMTP id 4BC2A3A677D for <oauth@ietf.org>; Sun, 12 Sep 2010 03:14:52 -0700 (PDT)
Received: from p4ffd11ed.dip.t-dialin.net ([79.253.17.237] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Oujaf-0007Y7-1e; Sun, 12 Sep 2010 12:15:17 +0200
Message-ID: <4C8CA834.1000504@lodderstedt.net>
Date: Sun, 12 Sep 2010 12:15:16 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <4C86BAF4.3060906@lodderstedt.net> <4C891EEA.80502@gmx.de> <AANLkTinUBD77ZtaHOD5CSGv+XAUuzSS0+NeyM5KLyJ8K@mail.gmail.com>
In-Reply-To: <AANLkTinUBD77ZtaHOD5CSGv+XAUuzSS0+NeyM5KLyJ8K@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D on token revocation submitted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Sep 2010 10:14:54 -0000
> Editorial note: shouldn't the "must" in that text be a "MUST"? You are right. I changed that. regards, Torsten. > On Thu, Sep 9, 2010 at 11:52 AM, Stefanie Dronia<sDronia@gmx.de> wrote: >> Hallo Torsten, >> >> first of all thanks for providing this draft on the mailing list. >> Except for the following words, the draft is consistent. It defines the end of a token's life cycle, intended by the user. >> >> While reading it, I think that the following part of chapter 2 (Token Revocation) might cause problems a a certain situation: >> >> "If the processed token is a refresh token and the authorization >> server supports the revocation of access tokens, then the >> authorization server must also invalidate all access tokens issued >> for that refresh token." >> >> Situation: >> Authz Server(s) and Resource Server(s) are separate systems that are set in an open triangle (no communication between them e.g. to verify access tokens). >> >> Problem: >> How does the Resource Server(s) know that an access token was revoked and is not valid to access resources any more? >> => Communication between the servers necessary >> => benefit of open triangle architecture are lost for this case. >> I think that this is a problem with large scale systems. >> >> Although, if there are several Authz Server(s) , then there has to be communication between there or a shared data base to assure that revoked (refresh) tokens are invalid. >> >> => Is this requirement really a MUST? >> I don't think so. >> >> Any thoughts? >> >> Regards, >> Stefanie >> >> >> >> >> Am 08.09.2010 00:21, schrieb Torsten Lodderstedt: >>> I just submited the first version of my I-D for token revocation. >>> >>> Link: https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >>> >>> The I-D proposes an additional endpoint, which can be used to revoke both refresh and access tokens. The objective is to enhance OAuth security by giving clients and users explicite control of the finalization of the token life cycle, e.g. to implement application logout or access authorization removal. >>> >>> Please take the time to review the document (2 pages, essentially) and give me feedback. My goal is that this draft becomes a working group document. >>> >>> regards, >>> Torsten. >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt