Re: [OAUTH-WG] Another question on RFC 7009
Thomas Broyer <t.broyer@gmail.com> Fri, 31 January 2014 18:19 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0F11A042F; Fri, 31 Jan 2014 10:19:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eO169z9PhpFv; Fri, 31 Jan 2014 10:19:44 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) by ietfa.amsl.com (Postfix) with ESMTP id AA6391A046F; Fri, 31 Jan 2014 10:19:43 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id c11so3779754lbj.30 for <multiple recipients>; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5gmK+6pAiGkobqi1mVUkHHiQ2xjAF4ElCAlLPD9dtSU=; b=VcXM+pbZTGsRUHCOvjmjzAVseD/KvkYiPS1aMAkuHxVyvP3/FbvQSfKnb2+PhswEY9 mmsWTlnxE97UqFwVQb5EorlmgNJdLSpORshjYiHtVRMGql8kBvhhEcmMRe9iuYc/Kor+ T7Tl8LMw8mbg7uUEXrZtN1fRzxN/2IuTq2sdt2pAikG8uhSbMhJtg4DyHex1LJyVV9Cy phxlyXtqPaa/z3RC/aB9tQAmYDqTWF+ABkOL+zjijLj3RKJvpZEq1ubgMUxo0736xp4V HA1kpS1wcij0npD9kNc/JZKMU6zUmWsLs9a06mBe5D7XzF7xiUXFBnEMIHuLwz9udCFg B4TA==
MIME-Version: 1.0
X-Received: by 10.152.19.200 with SMTP id h8mr50060lae.83.1391192379275; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
Received: by 10.152.111.131 with HTTP; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
Received: by 10.152.111.131 with HTTP; Fri, 31 Jan 2014 10:19:39 -0800 (PST)
In-Reply-To: <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com> <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
Date: Fri, 31 Jan 2014 19:19:39 +0100
Message-ID: <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
To: Todd W Lainhart <lainhart@us.ibm.com>
Content-Type: multipart/alternative; boundary="089e0149410a94beaa04f1483728"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 18:19:46 -0000
FWIW, we return unauthorized_client. Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainhart@us.ibm.com> a écrit : > > ...what's the intended way that the "request is refused and the client > is informed of the error" when the the token was not issued to the client > making the revocation request? > > We return an error_code of "invalid_request" and an appropriate error > message. > > > > > > > > * Todd Lainhart Rational software IBM Corporation 550 King Street, > Littleton, MA 01460-1250* > > > * 1-978-899-4705 <1-978-899-4705> 2-276-4705 (T/L) lainhart@us.ibm.com > <lainhart@us.ibm.com>* > > > > > From: Brian Campbell <bcampbell@pingidentity.com> > To: oauth <oauth@ietf.org>, > Date: 01/31/2014 11:58 AM > Subject: [OAUTH-WG] Another question on RFC 7009 > Sent by: "OAuth" <oauth-bounces@ietf.org> > ------------------------------ > > > > Greetings WG, > > In section 2.1 of RFC 7009, it says: > > "The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token > was issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed > of the error by the authorization server as described below." > > The only error described below is "unsupported_token_type" which doesn't > seem appropriate here. The errors in > *http://tools.ietf.org/html/rfc6749#section-5.2*<http://tools.ietf.org/html/rfc6749#section-5.2>are referenced too and, while "invalid_client" seems right for failed > client authentication, what's the intended way that the "request is refused > and the client is informed of the error" when the the token was not issued > to the client making the revocation request? None of the defined error > codes seem to fit. > > Furthermore, wouldn't it be better to go ahead and just revoke a token in > the case it's presented by the wrong client? I seem to recall some > discussion around this when 7009 was just a baby > draft-ietf-oauth-revocation and, while I don't recall the outcome, I was > surprised to look at the RFC again and see the text that is there. > > These questions came to me by way of a developer working on implementing > the RFC. I didn't have good answers, beyond the prognostication herein, so > I thought I'd take the questions to the WG list and the document authors. > > Thanks for any clarification, > Brian > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell