IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Fri, 18 February 2011 11:49 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F45A3A6DB6; Fri, 18 Feb 2011 03:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUHMOzQgm-vW; Fri, 18 Feb 2011 03:49:28 -0800 (PST)
Received: from mtagate7.uk.ibm.com (mtagate7.uk.ibm.com [194.196.100.167]) by core3.amsl.com (Postfix) with ESMTP id 734513A6DCE; Fri, 18 Feb 2011 03:49:28 -0800 (PST)
Received: from d06nrmr1806.portsmouth.uk.ibm.com (d06nrmr1806.portsmouth.uk.ibm.com [9.149.39.193]) by mtagate7.uk.ibm.com (8.13.1/8.13.1) with ESMTP id p1IBo0Jt009161; Fri, 18 Feb 2011 11:50:00 GMT
Received: from d06av08.portsmouth.uk.ibm.com (d06av08.portsmouth.uk.ibm.com [9.149.37.249]) by d06nrmr1806.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p1IBo7vJ1396762; Fri, 18 Feb 2011 11:50:07 GMT
Received: from d06av08.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p1IBnxB3016397; Fri, 18 Feb 2011 11:50:00 GMT
Received: from d06ml093.portsmouth.uk.ibm.com (d06ml093.portsmouth.uk.ibm.com [9.149.104.171]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p1IBnxNx016394; Fri, 18 Feb 2011 11:49:59 GMT
In-Reply-To: <AANLkTindJ3oGpggvZ7jRJ4TRhTRomyZG+DwLOfbHD2kq@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F44@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTi=tvwsR=_EhPRkYEwC+ERwRCNN2aAWDqRDvwx8B@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A315638493F514F@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTimxhoK1vt8HwSF9dvu4Z5xjqrLLb2SULj9pp=9b@mail.gmail.com> <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F9A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTindJ3oGpggvZ7jRJ4TRhTRomyZG+DwLOfbHD2kq@mail.gmail.com>
X-KeepSent: EFAF96E1:1837BBD4-8025783B:0040108E; type=4; name=$KeepSent
To: Marius Scurtescu <mscurtescu@google.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OFEFAF96E1.1837BBD4-ON8025783B.0040108E-8025783B.0040FF69@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Fri, 18 Feb 2011 11:49:24 +0000
X-MIMETrack: Serialize by Router on D06ML093/06/M/IBM(Release 8.0.2FP6|July 15, 2010) at 18/02/2011 11:49:24
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: OAuth WG <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2011 11:49:30 -0000

Marius

Isn't the risk of the refresh token leaking the same as the risk of the
access token leaking, i.e. why not provide both? IMO, the refresh token
just provides a server side mechanism for revoking access, where resource
servers are distributed, through having short lived access tokens

Of course, the refresh access token flow currently requires a secret so
would need to be changed or alternative flow introduced. Will wait for
details of how auth code flow can be used


Mark
e-mail: mark.mcgloin@ie.ibm.com


oauth-bounces@ietf.org wrote on 16/02/2011 21:38:45:

> Marius Scurtescu <mscurtescu@google.com>
> Sent by: oauth-bounces@ietf.org
>
> 16/02/2011 21:38
>
> To
>
> Eran Hammer-Lahav <eran@hueniverse.com>
>
> cc
>
> OAuth WG <oauth@ietf.org>
>
> Subject
>
> Re: [OAUTH-WG] Draft -12 feedback deadline
>
> On Wed, Feb 16, 2011 at 12:28 PM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> > The reason why we don't return a refresh token in the implicit
> grant is exactly because there is no client authentication...
>
> Not sure that's the main reason. AFAIK it is because the response is
> sent through the user-agent and it could leak.
>
>
> > These are all well-balanced flows with specific security
> properties. If you need something else, even if it is just a tweak,
> it must be considered a different flow. That doesn't mean you need
> to register a new grant type, just that you are dealing with
> different implementation details unique to your server.
>
> The Authorization Code flow, with no client secret, is perfectly fine
> for Native Apps IMO.
>
> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email