Re: [OAUTH-WG] Access Token Response without expires_in
Mike Jones <Michael.Jones@microsoft.com> Tue, 17 January 2012 08:01 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C7821F84D1 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 00:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztGvkb4tAVSR for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 00:01:49 -0800 (PST)
Received: from AM1EHSOBE004.bigfish.com (am1ehsobe004.messaging.microsoft.com [213.199.154.207]) by ietfa.amsl.com (Postfix) with ESMTP id C57AE21F84CF for <oauth@ietf.org>; Tue, 17 Jan 2012 00:01:48 -0800 (PST)
Received: from mail84-am1-R.bigfish.com (10.3.201.252) by AM1EHSOBE004.bigfish.com (10.3.204.24) with Microsoft SMTP Server id 14.1.225.23; Tue, 17 Jan 2012 08:01:43 +0000
Received: from mail84-am1 (localhost [127.0.0.1]) by mail84-am1-R.bigfish.com (Postfix) with ESMTP id B2BB940112; Tue, 17 Jan 2012 08:01:45 +0000 (UTC)
X-SpamScore: -41
X-BigFish: VS-41(zz9371Ic89bh179dN542M1432Nc857h98dKzz1202hzz1033IL8275bh8275dhz2fhc1ahc1bhc1ahc1bh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-FB-SS: 13,
Received-SPF: pass (mail84-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail84-am1 (localhost.localdomain [127.0.0.1]) by mail84-am1 (MessageSwitch) id 1326787305356805_31456; Tue, 17 Jan 2012 08:01:45 +0000 (UTC)
Received: from AM1EHSMHS020.bigfish.com (unknown [10.3.201.249]) by mail84-am1.bigfish.com (Postfix) with ESMTP id 53C8928004A; Tue, 17 Jan 2012 08:01:45 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS020.bigfish.com (10.3.206.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 17 Jan 2012 08:01:41 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.196]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0247.005; Tue, 17 Jan 2012 00:01:33 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Access Token Response without expires_in
Thread-Index: AczUf8kvUkdgy1nHSGOm5KixWQExDAAclWSAAAQyJIAACJ8+AAAAC6AAAAELxoAAAG06AAAPeVQA
Date: Tue, 17 Jan 2012 08:01:33 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366358386@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <90C41DD21FB7C64BB94121FBBC2E723453A754C5B1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGBSGjoajjjf+PaFE_byDxu-E4DOdhn+tPLCQVy-w1XZS878ZQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453A754C5B3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGBSGjr3RbxA-CyUqBunN67zAyddLxTLbOe6Bj10eGMSRc_NUA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453A754C5B6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453A754C5B6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366358386TK5EX14MBXC285r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "wolter.eldering" <wolter.eldering@enovation.com.cn>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 08:01:50 -0000
This doesn’t work for me, as it doesn’t mesh well with the case of the token containing the expiration time. For instance, both SAML and JWT tokens can contain expiration times. In this case, the expires_in time is unnecessary and the token may have no default expiration time and will expire even though not explicitly invoked. I would recommend no change to the current text, which is: expires_in OPTIONAL. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. -- Mike From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer Sent: Monday, January 16, 2012 11:20 PM To: Aaron Parecki; OAuth WG Cc: wolter.eldering Subject: Re: [OAUTH-WG] Access Token Response without expires_in WFM. From: Aaron Parecki [mailto:aaron@parecki.com]<mailto:[mailto:aaron@parecki.com]> Sent: Monday, January 16, 2012 11:08 PM To: OAuth WG Cc: Eran Hammer; Richer, Justin P.; wolter.eldering Subject: Re: [OAUTH-WG] Access Token Response without expires_in Actually now I'm having second thoughts about making expires_in RECOMMENDED. Here's another attempt at a clarification: expires_in OPTIONAL. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD document the default expiration time or indicate that the token will not expire until explicitly revoked. -aaronpk On Mon, Jan 16, 2012 at 10:37 PM, Eran Hammer <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: Hmm. This might become too much work at this stage… Happy for suggestions but I won’t pursue it on my own for now. EHL From: Aaron Parecki [mailto:aaron@parecki.com<mailto:aaron@parecki.com>] Sent: Monday, January 16, 2012 10:36 PM To: OAuth WG Cc: Richer, Justin P.; wolter.eldering; Eran Hammer Subject: Re: [OAUTH-WG] Access Token Response without expires_in That seems like a good idea, but then it should also be explicitly stated what to do if the server issues non-expiring tokens. aaronpk On Mon, Jan 16, 2012 at 10:29 PM, Eran Hammer <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: How do you feel about changing expires_in from OPTIONAL to RECOMMENDED? EHL > -----Original Message----- > From: Richer, Justin P. [mailto:jricher@mitre.org<mailto:jricher@mitre.org>] > Sent: Monday, January 16, 2012 7:29 PM > To: Eran Hammer > Cc: OAuth WG; wolter.eldering > Subject: Re: [OAUTH-WG] Access Token Response without expires_in > > I think #3. > > #1 will be a common instance, and #2 (or its variant, a limited number of > uses) is a different expiration pattern than time that would want to have its > own expiration parameter name. I haven't seen enough concrete use of this > pattern to warrant its own extension though. > > Which is why I vote #3 - it's a configuration issue. Perhaps we should rather > say that the AS "SHOULD document the token behavior in the absence of this > parameter, which may include the token not expiring until explicitly revoked, > expiring after a set number of uses, or other expiration behavior." That's a lot > of words here though. > > -- Justin > > On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote: > > > A question came up about the access token expiration when expires_in is > not included in the response. This should probably be made clearer in the > spec. The three options are: > > > > 1. Does not expire (but can be revoked) 2. Single use token 3. > > Defaults to whatever the authorization server decides and until > > revoked > > > > #3 is the assumed answer given the WG history. I'll note that in the spec, > but wanted to make sure this is the explicit WG consensus. > > > > EHL > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org<mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- [OAUTH-WG] Access Token Response without expires_… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… John Bradley
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Justin Richer