Re: [OAUTH-WG] Token expiration
Chris Messina <chris.messina@gmail.com> Tue, 22 September 2009 05:34 UTC
Return-Path: <chris.messina@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 089973A68F4 for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 22:34:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4F25VZLMC8l for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 22:34:27 -0700 (PDT)
Received: from mail-vw0-f196.google.com (mail-vw0-f196.google.com [209.85.212.196]) by core3.amsl.com (Postfix) with ESMTP id 0D7183A6831 for <oauth@ietf.org>; Mon, 21 Sep 2009 22:34:26 -0700 (PDT)
Received: by vws34 with SMTP id 34so2452933vws.32 for <oauth@ietf.org>; Mon, 21 Sep 2009 22:35:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Nga9nIfAiylHpZ3lzsb6fwPrezorMcXiWXicjNl6q04=; b=Pfj7r5VdlYi1uHRzAkEZh7QrrFRjyynO8so4/ZE+P4IxqMXqHSR/AXFQ7wnpDD8kIu 1KOFuztTGuZDZV4xr6Mftd8DYOrnSCB6dc+k2q/+Z8DUB3GCWvVCvrHPR+H15A+LaXtq WjveQ9j+RM38sg/C0tKstEJlsYU3yvK0o9gNk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dlwCH01rZ4TSV7cNh0uqePHAhzBRqGVdNMI6rZkMsqe5XCrWHS3I2KUgaHGe9bONk2 Ov7IQKFUJ4TKZEUzGuFOqBEyhYZSaRXfOLhgfXKhNbyTNcNjOgavX20OYZlkjsIrOCa4 9buPqyjFS4wNUWToY36r0PWRoznwXrPaUq1rc=
MIME-Version: 1.0
Received: by 10.220.108.163 with SMTP id f35mr793719vcp.86.1253597724702; Mon, 21 Sep 2009 22:35:24 -0700 (PDT)
In-Reply-To: <adb0b2880909211623v21563aaai6603aa4de74589c@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D584A3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <6c0fd2bc0909211441o3eacc564t2917cf5b94f99800@mail.gmail.com> <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com> <6c0fd2bc0909211534s1f2b79c6m7577dee31accf9c7@mail.gmail.com> <adb0b2880909211547sd75fddfjdb2e9d31d2e825d4@mail.gmail.com> <6c0fd2bc0909211600n541ef6d8g402c8596062e14f8@mail.gmail.com> <adb0b2880909211623v21563aaai6603aa4de74589c@mail.gmail.com>
Date: Mon, 21 Sep 2009 22:35:24 -0700
Message-ID: <1bc4603e0909212235n29b65ef3s8144c31ee293b1b2@mail.gmail.com>
From: Chris Messina <chris.messina@gmail.com>
To: Jonathan Sergent <sergent@google.com>
Content-Type: multipart/alternative; boundary="00c09f8de08f127b5e047423f76a"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Token expiration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2009 05:34:29 -0000
It'd be great if we could document all these techniques on the wiki: http://wiki.oauth.net Mailing lists is where good research like this goes to die! Chris On Mon, Sep 21, 2009 at 4:23 PM, Jonathan Sergent <sergent@google.com>wrote: > I meant n seconds from when the response was sent by the server. > > On Mon, Sep 21, 2009 at 4:00 PM, Hubert Le Van Gong <hubertlvg@gmail.com> > wrote: > > In theory I'd agree with you but... > > (1) there are ways of achieving reasonable clock sync nowadays > > (2) usually the validity period is long enough that the clocks are > > considered roughly in sync. > > (3) the n seconds means I can keep the token for a very long period > > of time and present it? Unless you meant seconds starting from > > the sender's clock, in which case we're back to the same issue. > > > > If the token is for a sensitive resource, one can still impose a one time > use... > > > > My 2 cents, > > Hubert > > > > > > On Tue, Sep 22, 2009 at 12:47 AM, Jonathan Sergent <sergent@google.com> > wrote: > >> IMO, it's problematic that this relies on clock synchronization > >> between the sender and the receiver to work. This is a constant > >> source of problems in need of debugging for us today. Why not specify > >> times like this using intervals? "This token is valid for the next n > >> seconds." > >> > >> On Mon, Sep 21, 2009 at 3:34 PM, Hubert Le Van Gong < > hubertlvg@gmail.com> wrote: > >>> An interesting example (to me at least since we use it) is the SAML > token. > >>> You have the ability to define three dates: > >>> - IssueInstant: the time of issue of the token [required] > >>> - NotBefore: time before which the token's invalid [optional] > >>> - NotOnOrAfter: time after which the token becomes invalid [optional] > >>> > >>> All are dateTime (in UTC form). > >>> > >>> Thanks, > >>> Hubert > >>> > >>> > >>> On Tue, Sep 22, 2009 at 12:22 AM, Chris Messina < > chris.messina@gmail.com> wrote: > >>>> Seems like it'd be worth documenting existing approaches to this... > what do > >>>> other similar APIs do? > >>>> I know I harp on this approach to technology development, but that was > how > >>>> OAuth was developed (for better or worse): by looking at existing > practices, > >>>> extracting convention, and codifying ]ideally] best practices. > >>>> If this is common and working elsewhere, can't we just imitate it? > >>>> Chris > >>>> > >>>> On Mon, Sep 21, 2009 at 2:41 PM, Hubert Le Van Gong < > hubertlvg@gmail.com> > >>>> wrote: > >>>>> > >>>>> It is obviously useful to have. In fact it's so useful I'll bet most > >>>>> token format > >>>>> used do include one. Having it outside the token becomes redundant > then > >>>>> but > >>>>> maybe it's not that bad. > >>>>> > >>>>> BTW why not using dateTime ( > http://www.w3.org/TR/xmlschema-2/#dateTime)? > >>>>> > >>>>> Cheers, > >>>>> Hubert > >>>>> > >>>>> > >>>>> On Mon, Sep 21, 2009 at 11:25 PM, Eran Hammer-Lahav < > eran@hueniverse.com> > >>>>> wrote: > >>>>> > Should the core spec support the ability to indicate the duration > of > >>>>> > token credentials? This would be an addition to the web delegation > draft [1] > >>>>> > in section 6 (Token Credentials) in the form of a new response > parameter, > >>>>> > something like: > >>>>> > > >>>>> > oauth_token_duration > >>>>> > The token duration specified in second from the time of the HTTP > >>>>> > response timestamp. > >>>>> > > >>>>> > This has been consistently at the top of missing core > funcationality. > >>>>> > > >>>>> > > >>>>> > EHL > >>>>> > > >>>>> > [1] http://tools.ietf.org/html/draft-ietf-oauth-web-delegation-01 > >>>>> > > >>>>> > _______________________________________________ > >>>>> > OAuth mailing list > >>>>> > OAuth@ietf.org > >>>>> > https://www.ietf.org/mailman/listinfo/oauth > >>>>> > > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>> > >>>> > >>>> > >>>> -- > >>>> Chris Messina > >>>> Open Web Advocate > >>>> > >>>> Personal: http://factoryjoe.com > >>>> Follow me on Twitter: http://twitter.com/chrismessina > >>>> > >>>> Citizen Agency: http://citizenagency.com > >>>> Diso Project: http://diso-project.org > >>>> OpenID Foundation: http://openid.net > >>>> > >>>> This email is: [ ] shareable [X] ask first [ ] private > >>>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >>> > >> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Chris Messina Open Web Advocate Personal: http://factoryjoe.com Follow me on Twitter: http://twitter.com/chrismessina Citizen Agency: http://citizenagency.com Diso Project: http://diso-project.org OpenID Foundation: http://openid.net This email is: [ ] shareable [X] ask first [ ] private
- [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Chris Messina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Marcel Molina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Chris Messina