Re: [OAUTH-WG] draft-ietf-oauth-revocation
George Fletcher <gffletch@aol.com> Tue, 05 February 2013 21:35 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8AD21F88ED for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:35:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.793
X-Spam-Level:
X-Spam-Status: No, score=-1.793 tagged_above=-999 required=5 tests=[AWL=0.805, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UBTuvcf9iPp for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:35:12 -0800 (PST)
Received: from imr-ma05.mx.aol.com (imr-ma05.mx.aol.com [64.12.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id 266CB21F88EA for <oauth@ietf.org>; Tue, 5 Feb 2013 13:35:12 -0800 (PST)
Received: from mtaout-mb02.r1000.mx.aol.com (mtaout-mb02.r1000.mx.aol.com [172.29.41.66]) by imr-ma05.mx.aol.com (Outbound Mail Relay) with ESMTP id 860F21C00025A; Tue, 5 Feb 2013 16:35:11 -0500 (EST)
Received: from palantir.local (unknown [10.181.176.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 174D4E0000A6; Tue, 5 Feb 2013 16:35:11 -0500 (EST)
Message-ID: <51117B0D.7040703@aol.com>
Date: Tue, 05 Feb 2013 16:35:09 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <510E5FB5.10803@lodderstedt.net> <B33BFB58CCC8BE4998958016839DE27E06886427@IMCMBX01.MITRE.ORG> <511020D3.1090201@aol.com> <B33BFB58CCC8BE4998958016839DE27E068865E3@IMCMBX01.MITRE.ORG> <OF2060C435.DEAE300A-ON85257B09.005BEF8B-85257B09.005C2559@us.ibm.com> <2DC4D4CA-C65F-4B7D-96E3-A811B303B15A@lodderstedt.net> <51116239.7030104@mitre.org> <D67A78CC-31FB-4E5E-A9C0-BD8951742E90@lodderstedt.net>
In-Reply-To: <D67A78CC-31FB-4E5E-A9C0-BD8951742E90@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------010906020003020401020400"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1360100111; bh=G5cOypxdofvhGJ4sya/EY6km0559T73NPytfGGzdux8=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=qwFVsoy+qD7U3wWL/acSgWqmKWM0+N080wfrcR7zC4bbgXW+1CGNOFmIjWXEWvKIq 6dXwzNl05MuVfcBCHcgIp3iUDNClzunesKqgkxEDE2ttyK+lnwTHw2hNlnBdLrHOnz nJ0TD3h1HRoKbMHXiXPTlRp3jb5DuW0ECSGgyihE=
X-AOL-SCOLL-SCORE: 0:2:483424256:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d294251117b0d789a
X-AOL-IP: 10.181.176.202
Cc: "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 21:35:13 -0000
I'm fine with this solution as well. --George On 2/5/13 3:45 PM, Torsten Lodderstedt wrote: > I know, that's why I asked. I think this is the simplest way to deal > with this type of error. I therefore prefer it. > > Am 05.02.2013 um 20:49 schrieb Justin Richer <jricher@mitre.org > <mailto:jricher@mitre.org>>: > >> You know, that works as well. From the client's perspective, the >> token isn't good anymore. The client shouldn't care if the token was >> good in the first place if it's revoking it. >> >> -- Justin >> >> >> On 02/05/2013 02:41 PM, Torsten Lodderstedt wrote: >>> Why not adopting Bill's suggestion and just return HTTP status code >>> 200 for (already) invalid tokens? >>> >>> regards, >>> Torsten. >>> >>> Am 05.02.2013 um 17:46 schrieb Todd W Lainhart <lainhart@us.ibm.com >>> <mailto:lainhart@us.ibm.com>>: >>> >>>> > Could it do something with invalid_parameter that it couldn't do >>>> with invalid_token_parameter (among others), or vice versa? >>>> >>>> I'm not imagining a client doing anything programmatically useful >>>> with the distinction. >>>> >>>> * >>>> >>>> >>>> Todd Lainhart >>>> Rational software >>>> IBM Corporation >>>> 550 King Street, Littleton, MA 01460-1250** >>>> 1-978-899-4705 >>>> 2-276-4705 (T/L) >>>> lainhart@us.ibm.com <mailto:lainhart@us.ibm.com>* >>>> >>>> >>>> >>>> >>>> >>>> >>>> From: "Richer, Justin P." <jricher@mitre.org >>>> <mailto:jricher@mitre.org>> >>>> To: George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>>, >>>> Cc: OAuth WG <oauth@ietf.org <mailto:oauth@ietf.org>> >>>> Date: 02/04/2013 04:10 PM >>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation >>>> Sent by: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> >>>> >>>> On Feb 4, 2013, at 3:57 PM, George Fletcher <gffletch@aol.com >>>> <mailto:gffletch@aol.com>> >>>> wrote: >>>> >>>> > >>>> > On 2/4/13 3:41 PM, Richer, Justin P. wrote: >>>> >> On Feb 3, 2013, at 8:01 AM, Torsten Lodderstedt >>>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >>>> >> >>>> >> >>>> >>> - invalid_token error code: I propose to use the new error code >>>> "invalid_parameter" (as suggested by Peter and George). I don't see >>>> the need to register it (see >>>> http://www.ietf.org/mail-archive/web/oauth/current/msg10604.html) >>>> but would like to get your advice. >>>> >> something more like "invalid_token_parameter" would maybe make >>>> sense, since it's not just *any* parameter, it's the special >>>> "token" parameter that we're talking about, but it's distinct from >>>> the invalid_token response. The introspection endpoint uses the >>>> same pattern of a token= parameter, but since the whole point of >>>> the introspection endpoint is determining token validity it doesn't >>>> actually throw an error here. >>>> >> >>>> >> I agree that it doesn't need to be registered (since it's on a >>>> different endpoint). >>>> > For what it's worth my thinking was that if we have an >>>> 'invalid_parameter' error, then the description can define which >>>> parameter is invalid. I don't think we should create a bunch of >>>> specific error values that are endpoint specific and could overlap >>>> which is where the whole error return value started. >>>> > >>>> >>>> Hm, I see what you're saying, but the error response is already >>>> endpoint specific. Though there is value in not having conflicting >>>> and/or confusing responses from different endpoints that use the >>>> same error code for different things. >>>> >>>> What it really comes down to is: what can the client do with this >>>> error? Could it do something with invalid_parameter that it >>>> couldn't do with invalid_token_parameter (among others), or vice >>>> versa? As I'm writing this out, I'm not convinced that it could, >>>> really, so this may be a bike shedding argument. >>>> >>>> -- Justin >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] draft-ietf-oauth-revocation Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-revocation William Mills
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Anthony Nadalin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Richer, Justin P.
- Re: [OAUTH-WG] draft-ietf-oauth-revocation George Fletcher
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Richer, Justin P.
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Todd W Lainhart
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Todd W Lainhart
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-revocation George Fletcher
- Re: [OAUTH-WG] draft-ietf-oauth-revocation Todd W Lainhart