IETF Logo Mail Archive

Re: [OAUTH-WG] A question on token revocation.

Prabath Siriwardena <prabath@wso2.com> Wed, 06 February 2013 18:32 UTC

Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E7A21F8715 for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 10:32:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.649
X-Spam-Level:
X-Spam-Status: No, score=-2.649 tagged_above=-999 required=5 tests=[AWL=0.327, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWrupykWlaWR for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 10:32:30 -0800 (PST)
Received: from mail-ea0-f169.google.com (mail-ea0-f169.google.com [209.85.215.169]) by ietfa.amsl.com (Postfix) with ESMTP id 122F021F8548 for <oauth@ietf.org>; Wed, 6 Feb 2013 10:32:29 -0800 (PST)
Received: by mail-ea0-f169.google.com with SMTP id d13so799586eaa.28 for <oauth@ietf.org>; Wed, 06 Feb 2013 10:32:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=JaegM0qbecKvBClI7o/Rti64268RzLgAmda5WwRDVF4=; b=LRt1Wgip7DF8iNZEok4iShnFEWxCzZKVu96o/XC/+1rxvXsCoN3Tq+/ueRcJCqrAZZ 9WI5tGL8XyaiaCZntXPax80g3bCF3FyH4KAbRIBIuy1iZLHvm3puG1P4rbVi16IN7/g9 k/5f65M5ZHarYlFuP3dljTaEOHqEeNXIiJDf8FYThFbFPfwTHzqVZNZAKtpBl+59+Hzs gcuA75qLlreYxoPLkBqJWYxnZ+fPzzOhunr0+8HKUIqMUXYHZdGp0o5d/9QWL705jhYP B3a+jQDZ4IpEOQ1guAsTPfoNc06lPipgELM2xL5TQMbHivcuKOFCCL3Hu1hzoAbshwHQ 8stQ==
MIME-Version: 1.0
X-Received: by 10.14.178.196 with SMTP id f44mr99792474eem.14.1360175548693; Wed, 06 Feb 2013 10:32:28 -0800 (PST)
Received: by 10.223.175.134 with HTTP; Wed, 6 Feb 2013 10:32:28 -0800 (PST)
In-Reply-To: <611639B1-8B4B-4010-A1DF-A0A8057F3EA8@lodderstedt.net>
References: <CAJV9qO8UgLV6SdegZSk4KT3Qyb-M2KmPFPV9xDht_WjibeUWrg@mail.gmail.com> <51126D65.2090707@mitre.org> <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com> <5112746B.70403@mitre.org> <CAJV9qO-mz=K_fJHO8g8XH8DtUxFPvN8hRF7K=gn0etAAqeb0zg@mail.gmail.com> <OF8CC0704A.7E320CB4-ON85257B0A.0055661B-85257B0A.00558648@us.ibm.com> <CAJV9qO-fM6JgHRzKOzJi00AcsnZCqO-i-YCM_uoRuB=HqWDg7A@mail.gmail.com> <611639B1-8B4B-4010-A1DF-A0A8057F3EA8@lodderstedt.net>
Date: Thu, 07 Feb 2013 00:02:28 +0530
Message-ID: <CAJV9qO8oW=5nTVH2YpotL0ZUfJaX31GHJoZXeFyntkdnKHhGRw@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="047d7b622520697dcb04d5128c89"
X-Gm-Message-State: ALoCoQle1IVPaCqPQaNe1CkFzB4j2s6+wAwuExwc7O4Jc5ZQXOidGkD2KH0r2lyd/oe3gGJKghuE
Cc: "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A question on token revocation.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 18:32:32 -0000

Hi Torsten,

Thanks for your feedback.. I will submit a draft...

Thanks & regards,
-Prabath

On Wed, Feb 6, 2013 at 11:55 PM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi Prabath,
>
> we tried to address both use cases in the first revisions of the draft.
> The API was well suited for client-driven revocation but not the resource
> owner - driven use case. There are definitely differences with respect to
> the protocol design, at least regarding authentication and authorization
> of the respective actors. This made the spec more complex and caused
> ambiguities and confusion. Moreover, the working group seemed not convinced
> by the the latter use case.
>
> Therefore the working group decided to focus on the single use cases of
> the revocation by clients. This makes a lot of sense since this interface
> is most important with respect to interoperability.
>
> I'm focusing right now on finishing this draft. And the open issues
> discussed on the list in the last couple of weeks illustrate that even this
> poses a considerable amount of work. So I'm very reluctant to add support
> for a whole new use case at that point of the process.
>
> If you feel this is an important use case worth an RFC, don't hesitate to
> publish a new I-D.
>
> regards,
> Torsten.
>
> Am 06.02.2013 um 16:37 schrieb Prabath Siriwardena <prabath@wso2.com>:
>
>
>
> On Wed, Feb 6, 2013 at 9:04 PM, Todd W Lainhart <lainhart@us.ibm.com>wrote:
>
>> > Resource owner needs to know the consumer key (represents the OAuth
>> Client app) & scope to revoke the access token for a given client.
>>
>> I see - you're saying that requiring client credentials on the end point
>> is the problem?
>>
>
> In fact what I meant was - when RO authorizes the an access token for
> client for particular scope. Those information are kept at the AS.
>
> Now - if the RO want to revoke access from the client - the RO needs to
> authenticate him self to the AS and pass the consumer key and the scope. So
> AS can revoke access.
>
> Thanks & regards,
> -Prabath
>
>
>>
>>  *
>>
>>
>> Todd Lainhart
>> Rational software
>> IBM Corporation
>> 550 King Street, Littleton, MA 01460-1250**
>> 1-978-899-4705
>> 2-276-4705 (T/L)
>> lainhart@us.ibm.com*
>>
>>
>>
>>
>> From:        Prabath Siriwardena <prabath@wso2.com>
>> To:        Justin Richer <jricher@mitre.org>,
>> Cc:        "oauth@ietf.org WG" <oauth@ietf.org>
>> Date:        02/06/2013 10:31 AM
>> Subject:        Re: [OAUTH-WG] A question on token revocation.
>> Sent by:        oauth-bounces@ietf.org
>> ------------------------------
>>
>>
>>
>>
>>
>> On Wed, Feb 6, 2013 at 8:49 PM, Justin Richer <*jricher@mitre.org*<jricher@mitre.org>>
>> wrote:
>>
>> On 02/06/2013 10:13 AM, Prabath Siriwardena wrote:
>>
>>
>> On Wed, Feb 6, 2013 at 8:19 PM, Justin Richer <*jricher@mitre.org*<jricher@mitre.org>>
>> wrote:
>> These are generally handled through a user interface where the RO is
>> authenticated directly to the AS, and there's not much need for a
>> "protocol" here, in practice.
>>
>> Why do you think leaving access token revocation by RO to a proprietary
>> API is a good practice ? IMO this an essential requirement in API security.
>> I think it makes more sense in the same way that having a "proprietary"
>> UI/API for managing the user consent makes sense: unless you're doing a
>> fully dynamic end-to-end system like UMA, then there's not much value in
>> trying to squeeze disparate systems into the same mold, since they won't be
>> talking to each other anyway.
>>
>> This is required in distributed setup for each API platform from
>> different vendors to perform in an interop manner.
>>
>>
>> And since you refer to it as an "API", what will the RO be using to call
>> this API? Is there a token management client that's separate from the OAuth
>> client?
>>
>> I didn't get your question right... If you meant the how to invoke
>> revocation end point, the the resource owner needs to know the consumer key
>> (represents the OAuth Client app) & scope to revoke the access token for a
>> given client.
>>
>>
>>
>> IMHO token revocation done my RO is more practical than token revocation
>> done by the Client.
>> They're both valid but require different kinds of protocols and
>> considerations. This token revocation draft is meant to solve one problem,
>> and that doesn't mean it can or should solve other seemingly related
>> problems.
>>
>> If you would like to see the RO-initiated token revocation go through
>> (not grant revocation, mind you -- that's related, but different), then I
>> would suggest that you start specifying exactly how that works. I predict
>> it will be problematic in practice, though, as the RO often doesn't
>> actually have direct access to the token itself.
>>
>> Resource owner needs to know the consumer key (represents the OAuth
>> Client app) & scope to revoke the access token for a given client.
>>
>>
>>
>>
>> There are larger applications, like UMA, that have client and PR
>> provisioning that would allow for this to be managed somewhat
>> programmatically, but even in that case you're still generally doing token
>> revocation by a "client" in some fashion. In UMA, though, several different
>> pieces can play the role of a "client" at different parts of the process.
>>
>> Revoking a scope is a whole different mess. Generally, you'd want to just
>> revoke an existing token and make a new authorization grant with lower
>> access if you don't want that client getting that scope anymore. If you
>> just want to downscope for a single transaction, you can already do that
>> with either the refresh token or token chaining approaches, depending on
>> where in the process you are. The latter of these are both client-focused,
>> though, and the RO doesn't have a direct hand in it at this point.
>>
>> Why do you think it a mess. If you revoke the entire token then Client
>> needs to go through the complete OAuth flow - and also needs to get the
>> user consent. If RO can  downgrade the scope, then we restrict API access
>> by the client at RS end and its transparent to the client.
>>
>>
>> Downgrading the scope of tokens in the wild is hardly transparent to the
>> client (stuff that it expects to work will suddenly start to fail, meaning
>> that most clients will throw out the token and try to get a new one), and
>> in a distributed system you've got to propagate that change to the RS. If
>> you bake the scopes into the token itself (which many do) then you actually
>> *can't* downgrade a single token, anyway.
>>
>> Yes.. that is the expected behavior. I mean the process is transparent.
>> Client will notice at runtime.
>>
>> Thanks & regards,
>> -Prabath
>>
>>
>>  -- Justin
>>
>>
>> Thanks & regards,
>> -Prabath
>>
>>
>>
>>  -- Justin
>>
>>
>> On 02/06/2013 04:35 AM, Prabath Siriwardena wrote:
>> I am sorry if this was already discussed in this list..
>>
>> Looking at [1] it only talks about revoking the access token from the
>> client.
>>
>> How about the resource owner..?
>>
>> There can be cases where resource owner needs to revoke an authorized
>> access token from a given client. Or revoke an scope..
>>
>> How are we going to address these requirements..? Thoughts appreciated...
>>
>> [1] *http://tools.ietf.org/html/draft-ietf-oauth-revocation-04*<http://tools.ietf.org/html/draft-ietf-oauth-revocation-04>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Mobile : *+94 71 809 6732* <%2B94%2071%20809%206732>
>> *
>> **http://blog.facilelogin.com* <http://blog.facilelogin.com/>*
>> **http://RampartFAQ.com* <http://rampartfaq.com/>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> *OAuth@ietf.org* <OAuth@ietf.org>
>> *https://www.ietf.org/mailman/listinfo/oauth*<https://www.ietf.org/mailman/listinfo/oauth>
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Mobile : *+94 71 809 6732* <%2B94%2071%20809%206732>
>> *
>> **http://blog.facilelogin.com* <http://blog.facilelogin.com/>*
>> **http://RampartFAQ.com* <http://rampartfaq.com/>
>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Mobile : +94 71 809 6732
>> *
>> **http://blog.facilelogin.com* <http://blog.facilelogin.com/>*
>> *
>> *http://RampartFAQ.com* <http://rampartfaq.com/>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com

v2.23.0 | Report a Bug | By Email