IETF Logo Mail Archive

Re: [OAUTH-WG] Another question on RFC 7009

Thomas Broyer <t.broyer@gmail.com> Fri, 31 January 2014 18:19 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0F11A042F; Fri, 31 Jan 2014 10:19:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eO169z9PhpFv; Fri, 31 Jan 2014 10:19:44 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) by ietfa.amsl.com (Postfix) with ESMTP id AA6391A046F; Fri, 31 Jan 2014 10:19:43 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id c11so3779754lbj.30 for <multiple recipients>; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5gmK+6pAiGkobqi1mVUkHHiQ2xjAF4ElCAlLPD9dtSU=; b=VcXM+pbZTGsRUHCOvjmjzAVseD/KvkYiPS1aMAkuHxVyvP3/FbvQSfKnb2+PhswEY9 mmsWTlnxE97UqFwVQb5EorlmgNJdLSpORshjYiHtVRMGql8kBvhhEcmMRe9iuYc/Kor+ T7Tl8LMw8mbg7uUEXrZtN1fRzxN/2IuTq2sdt2pAikG8uhSbMhJtg4DyHex1LJyVV9Cy phxlyXtqPaa/z3RC/aB9tQAmYDqTWF+ABkOL+zjijLj3RKJvpZEq1ubgMUxo0736xp4V HA1kpS1wcij0npD9kNc/JZKMU6zUmWsLs9a06mBe5D7XzF7xiUXFBnEMIHuLwz9udCFg B4TA==
MIME-Version: 1.0
X-Received: by 10.152.19.200 with SMTP id h8mr50060lae.83.1391192379275; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
Received: by 10.152.111.131 with HTTP; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
Received: by 10.152.111.131 with HTTP; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
In-Reply-To: <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com> <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
Date: Fri, 31 Jan 2014 19:19:39 +0100
Message-ID: <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
To: Todd W Lainhart <lainhart@us.ibm.com>
Content-Type: multipart/alternative; boundary="089e0149410a94beaa04f1483728"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 18:19:46 -0000

FWIW, we return unauthorized_client.
Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainhart@us.ibm.com> a écrit :

> > ...what's the intended way that the "request is refused and the client
> is informed of the error" when the the token was not issued to the client
> making the revocation request?
>
> We return an error_code of "invalid_request" and an appropriate error
> message.
>
>
>
>
>
>
>
> * Todd Lainhart Rational software IBM Corporation 550 King Street,
> Littleton, MA 01460-1250*
>
>
> * 1-978-899-4705 <1-978-899-4705> 2-276-4705 (T/L) lainhart@us.ibm.com
> <lainhart@us.ibm.com>*
>
>
>
>
> From:        Brian Campbell <bcampbell@pingidentity.com>
> To:        oauth <oauth@ietf.org>,
> Date:        01/31/2014 11:58 AM
> Subject:        [OAUTH-WG] Another question on RFC 7009
> Sent by:        "OAuth" <oauth-bounces@ietf.org>
> ------------------------------
>
>
>
> Greetings WG,
>
> In section 2.1 of RFC 7009, it says:
>
>    "The authorization server first validates the client credentials (in
>    case of a confidential client) and then verifies whether the token
>    was issued to the client making the revocation request.  If this
>    validation fails, the request is refused and the client is informed
>    of the error by the authorization server as described below."
>
> The only error described below is "unsupported_token_type" which doesn't
> seem appropriate here. The errors in
> *http://tools.ietf.org/html/rfc6749#section-5.2*<http://tools.ietf.org/html/rfc6749#section-5.2>are referenced too and, while "invalid_client" seems right for failed
> client authentication, what's the intended way that the "request is refused
> and the client is informed of the error" when the the token was not issued
> to the client making the revocation request? None of the defined error
> codes seem to fit.
>
> Furthermore, wouldn't it be better to go ahead and just revoke a token in
> the case it's presented by the wrong client? I seem to recall some
> discussion around this when 7009 was just a baby
> draft-ietf-oauth-revocation and, while I don't recall the outcome, I was
> surprised to look at the RFC again and see the text that is there.
>
> These questions came to me by way of a developer working on implementing
> the RFC. I didn't have good answers, beyond the prognostication herein, so
> I thought I'd take the questions to the WG list and the document authors.
>
> Thanks for any clarification,
> Brian
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email