Re: [OAUTH-WG] Single transaction token
Declan Newman <declan.newman@semantico.com> Tue, 08 November 2011 22:36 UTC
Return-Path: <declan.newman@semantico.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDCD11E8086 for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 14:36:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w51+N5OL5GpX for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 14:36:52 -0800 (PST)
Received: from mail.semantico.net (nat01b-dmz.semantico.net [91.208.163.139]) by ietfa.amsl.com (Postfix) with SMTP id C09A111E80C7 for <oauth@ietf.org>; Tue, 8 Nov 2011 14:36:49 -0800 (PST)
Received: from mail.semantico.net (localhost.localdomain [127.0.0.1]) by mail.semantico.net (Postfix) with ESMTP id A9D8327398; Tue, 8 Nov 2011 22:36:44 +0000 (GMT)
Received: from [192.168.1.103] (host86-177-94-65.range86-177.btcentralplus.com [86.177.94.65]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.semantico.net (Postfix) with ESMTPSA id 32C58226A8; Tue, 8 Nov 2011 22:36:44 +0000 (GMT)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9EABD69C-A295-434C-A3E3-4219A1CA11CD"
From: Declan Newman <declan.newman@semantico.com>
In-Reply-To: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Tue, 08 Nov 2011 22:36:43 +0000
Message-Id: <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com>
References: <C1468D5F-052D-4D14-919E-A0465156A780@semantico.com> <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1251.1)
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: Will Simpson <will.simpson@semantico.com>, Geoffrey Bilder <gbilder@crossref.org>, oauth@ietf.org
Subject: Re: [OAUTH-WG] Single transaction token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 22:36:53 -0000
Thanks very much for for your thoughts. With your comments in mind, our current thinking is that the initial requests' scope will determine the access token's life. If a 'write scope' is requested, a write-lock is placed on the corresponding record and the token is valid for one write operation (with a short expires_in), after which the write-lock is released and the token's expires timestamp is set to a time in the past, allowing the caller to use a refresh token to resume read-only operations using newly created access token. In this scenario, the "expires_in" value will be used to revoke the access token, rather than an explicit delete. I'd be really interested in getting peoples views on how this adheres to the the current OAuth 2 specification. Thanks again, Dec On 8 Nov 2011, at 15:35, William Mills wrote: > The problem is that the token has no state about the transaction. Is the transaction already determined when the token is issued? If so then put the transaction dat ain the token and make it non-repeatable. > > If this is an auth token for an arbitrary single action you have to put some form of replay protection on the protected resource, or you can immediately revoke the token after use against a revocation API and make sure the RP is checking for revoked tokens against the same API/endpoint. You do have a race here, so you have to sort out what you'll make synchronous calls against for this. > > Regards, > > -bill > > From: Declan Newman <declan.newman@semantico.com> > To: oauth@ietf.org > Cc: Will Simpson <will.simpson@semantico.com>; Geoffrey Bilder <gbilder@crossref.org> > Sent: Tuesday, November 8, 2011 1:58 AM > Subject: [OAUTH-WG] Single transaction token > > Hello, > > We're currently implementing OAuth 2 provider for a client, whom needs to have the facility to authenticate/authorise a client to update in a single transaction. > > Is there a way to specify the validity of a token on a per-transaction basis, as opposed to a timeframe? > > Any help much appreciated. > > Regards, > > Dec > > ---------------------------------------------------------------------------- > Declan Newman, Development Team Leader, > Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE > <mailto:Declan.Newman@semantico.com> > <tel:+44-1273-358247> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > ---------------------------------------------------------------------------- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE <mailto:Declan.Newman@semantico.com> <tel:+44-1273-358247>
- [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token Eran Hammer-Lahav
- Re: [OAUTH-WG] Single transaction token William Mills
- Re: [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token William Mills