IETF Logo Mail Archive

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

Mike Jones <Michael.Jones@microsoft.com> Thu, 16 May 2013 22:27 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9582F11E8112 for <oauth@ietfa.amsl.com>; Thu, 16 May 2013 15:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLTLFT8R-hMD for <oauth@ietfa.amsl.com>; Thu, 16 May 2013 15:27:07 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id 5682D11E80CC for <oauth@ietf.org>; Thu, 16 May 2013 15:27:06 -0700 (PDT)
Received: from BY2FFO11FD003.protection.gbl (10.1.15.204) by BY2FFO11HUB032.protection.gbl (10.1.14.177) with Microsoft SMTP Server (TLS) id 15.0.687.1; Thu, 16 May 2013 22:27:05 +0000
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD003.mail.protection.outlook.com (10.1.14.125) with Microsoft SMTP Server (TLS) id 15.0.687.1 via Frontend Transport; Thu, 16 May 2013 22:27:05 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.161]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0136.001; Thu, 16 May 2013 22:27:00 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Thread-Index: AQHOUn1hpZLqFiRnMkSI5G863Tdy5JkIY0Gw
Date: Thu, 16 May 2013 22:26:59 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943677327E5@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com>
In-Reply-To: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(13464003)(189002)(377454002)(164054003)(74502001)(49866001)(51856001)(69226001)(50466002)(74706001)(54356001)(23726002)(50986001)(63696002)(20776003)(55846006)(47976001)(46406003)(74876001)(56816002)(15974865001)(47736001)(74662001)(44976003)(33656001)(47776003)(79102001)(77982001)(53806001)(46102001)(74366001)(6806003)(56776001)(66066001)(54316002)(81342001)(4396001)(65816001)(80022001)(31966008)(16406001)(81542001)(59766001)(76482001)(47446002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB032; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0848C1A6AA
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2013 22:27:34 -0000

This is nothing more than an RFC 6750 bearer token.  These can expire, as explained in that draft.  (The can also be issued an a manner that they don't expire.)  Nothing new is being invented in this regard.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
Sent: Thursday, May 16, 2013 2:35 PM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

All,

In the dynamic registration draft, a new token type is defined called the "registration access token". Its use is intended to facilitate clients being able to update their registration and obtain new client credentials over time.  The client credential is issued on completion of the initial registration request by a particular client instance.

It appears the need for the registration access token arises from the implied assertion that client credentials should expire. 
--> Is anyone expiring client credentials?

To date, we haven't had much discussion about client credential expiry. It leads me to the following questions:

1.  Is there technical value with client credential/token expiry?  Keep in mind that client credential is only used with the token endpoint over TLS connection. It is NOT used to access resources directly.

2.  If yes, on what basis should client credential/token expire?
  a.  Time?
  b.  A change to the client software (e.g. version update)?
  c.  Some other reason?

3. Is it worth the complication to create a new token type (registration access token) just to allow clients to obtain new client tokens?  Keep in mind that client tokens are only usable with the AS token endpoint.  Why not instead use a client token for dyn reg and token endpoint with the rule that once a client token has expired (if they expire), an expired token may still be used at the registration end-point.

4. Are there other reasons for the registration token?

Thanks,

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email