Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
Warren Parad <wparad@rhosys.ch> Thu, 02 September 2021 07:16 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4213A104B for <oauth@ietfa.amsl.com>; Thu, 2 Sep 2021 00:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_ZA_HViDWWC for <oauth@ietfa.amsl.com>; Thu, 2 Sep 2021 00:16:39 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF3E03A1045 for <oauth@ietf.org>; Thu, 2 Sep 2021 00:16:39 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id r4so1998013ybp.4 for <oauth@ietf.org>; Thu, 02 Sep 2021 00:16:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=93qmikd8W4ovZvnBw/SinvJZghsO83f8Q/Jnmk/0ZkU=; b=dF0+K2+bqyBHUjwfwXC5EZLyVNSFRzeHP74IqM5qo2ltn9+eb7W6MPa+04A9E5xleF 6ANnNRuQzYzu0A9+cXh5zRtL3WWnOaycL232Pd/8BQCKdU0x78MP24+GFA+yw7Nxr06/ 8tsZhZ5JxXHTrRypXbHAvmOrY3kNKC3fpv5uRWlVvSweyj8bmUiM/C1ExY7AJj4Fa4Q1 FN4nbKi6fPYDR7xv5KWIkNgdy+roMXX8WkzFxT4e+wqF0jvd3ZyT649ua4GMM9F8hwV9 5mULRNLfuirp7KQQg3aedZKENDxXNsSjuu+9B0yIB5AxClofxPclRM7lgZXlZRDLiyRB x2IA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=93qmikd8W4ovZvnBw/SinvJZghsO83f8Q/Jnmk/0ZkU=; b=PyE+LcFVvlAb6IbVPagk4kbOBpvgiiImuq8QmTmK+uWw7nEYJFfYWrkxE6CiFdzzqh vLrLowjMt5iVaJwtet1rkUXiqIS4XZ4Cunq3+HPML+K/wChd3W4lBqDLcWa3eqwOiZPR Sj8VvfEEzAPt2AnZErRbicX+RVLffZ8AdliRMx1D0g8tfPfSnQyZfDLCQ2v1OP/mHS0+ PFBbKX7/3p0IFDN5hKJOUl+pNJwm0LF9ZLC7bVK9eIwsRRqBcJerXWiVox5hFfYUsLPU UqbbURJWfeAeRoJLUTgLtHGUwd3VVMCydpMNwbKsUCWl8NrrIh01a3Jq9ppE0kxW72Vh k6FA==
X-Gm-Message-State: AOAM533qFoRl5j8tlVl77pqrm6BqUBmkFlKQ/R24a4n90PlveNtXIwwU W9zbATt5OOx+xEEATQH6dMjzYvs0YG64koIMOy6G
X-Google-Smtp-Source: ABdhPJwyg8B1xVg9tlT6Sp1oWgz8PzdotmvNu/xsq0bXS6p+ZOtcRbMVbjtZgm5JVWw9uWtvQlVoAfNmsc4dpyr7oIs=
X-Received: by 2002:a25:440b:: with SMTP id r11mr2483409yba.44.1630566997213; Thu, 02 Sep 2021 00:16:37 -0700 (PDT)
MIME-Version: 1.0
References: <20210822091434.93EFCF40723@rfc-editor.org> <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu> <CAEayHEP1Jg-WPo-4B5k5JVA_zDOL7m1tWq9q2yWSS_deRcP6Fw@mail.gmail.com> <CAFvbn=Zsh87pxNr_uXiOBOQ__ZJrqGPrkyOJbY5h1WLGzkemqA@mail.gmail.com> <CAJot-L0svK5tQ=ExTOYDybX-8zLC4omjKc6ggFcO8wUExA-5og@mail.gmail.com> <CAFvbn=ZC5Ufgh6gbEKd8ai91yc8Z2OJr3tx+u1GOx9qBy=znuA@mail.gmail.com>
In-Reply-To: <CAFvbn=ZC5Ufgh6gbEKd8ai91yc8Z2OJr3tx+u1GOx9qBy=znuA@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 02 Sep 2021 09:16:26 +0200
Message-ID: <CAJot-L0S3OMOJox=oeRVAAZU3enF1_4HbYZup6kEZBbAYp4s2w@mail.gmail.com>
To: Ash Narayanan <ashvinnarayanan@gmail.com>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a6d77d05cafdf6b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5HSuk6InLWKQ-MsoAwGkLAtTxnA>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 07:16:46 -0000
Great, then let's fix 6749 not this one. The client_id isn't necessary. And then wouldn't 7009 not need to be changed because it already says you don't need to pass any authorization for public clients? For credentialled client issued grants, refresh tokens, and access tokens, these must not be able to be revoked without client credentials, so using the refresh token or access token only for all other client types must not be supported. On Thu, Sep 2, 2021, 08:52 Ash Narayanan <ashvinnarayanan@gmail.com> wrote: > Hi Warren, > > If you are referring to the client_id as arbitrary information, then the > same would also be true for refresh requests to the token endpoint from > public clients. As per 6749, you need to pass the client_id along with the > refresh token. The client_id adds no additional security. > > But really, the whole point I've been trying to make from the start is > that the token itself should be the only form of 'security' needed...as > that's the point of OAuth. > > Regardless, 7009 needs to be made obsolete by a newer RFC. > > Ash > > On Thu, Sep 2, 2021 at 4:41 PM Warren Parad <wparad@rhosys.ch> wrote: > >> What's the point in passing arbitrary other information that is already >> known by the AS and does not provide the level of security necessary to >> prevent abuse of the revocation endpoint? >> >> On Thu, Sep 2, 2021, 01:12 Ash Narayanan <ashvinnarayanan@gmail.com> >> wrote: >> >>> Hi Thomas, >>> >>> The approach you've suggested sounds good. Passing just the client_id >>> along with the token and type (regardless of client type) would be >>> consistent with how refresh_token requests are structured. As long as the >>> new RFC obsoletes this one. >>> >>> Ash >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>
- [OAUTH-WG] [Technical Errata Reported] RFC7009 (6… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Justin Richer
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Emond Papegaaij
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Warren Parad
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Emond Papegaaij
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Torsten Lodderstedt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Thomas Broyer
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Warren Parad
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Warren Parad
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Warren Parad
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Ash Narayanan
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Warren Parad
- Re: [OAUTH-WG] [Technical Errata Reported] RFC700… Domingos Creado