IETF Logo Mail Archive

Re: [OAUTH-WG] A question on token revocation.

Todd W Lainhart <lainhart@us.ibm.com> Wed, 06 February 2013 15:34 UTC

Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5216621F875F for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:34:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.546
X-Spam-Level:
X-Spam-Status: No, score=-10.546 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hN2B8qJTc7pn for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:34:26 -0800 (PST)
Received: from e9.ny.us.ibm.com (e9.ny.us.ibm.com [32.97.182.139]) by ietfa.amsl.com (Postfix) with ESMTP id E546521F868D for <oauth@ietf.org>; Wed, 6 Feb 2013 07:34:25 -0800 (PST)
Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Wed, 6 Feb 2013 10:34:25 -0500
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e9.ny.us.ibm.com (192.168.1.109) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 6 Feb 2013 10:34:22 -0500
Received: from d01relay06.pok.ibm.com (d01relay06.pok.ibm.com [9.56.227.116]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id E6693C90028; Wed, 6 Feb 2013 10:34:20 -0500 (EST)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay06.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r16FYKUw29360192; Wed, 6 Feb 2013 10:34:20 -0500
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r16FYJQY009566; Wed, 6 Feb 2013 13:34:19 -0200
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r16FYA3u008297; Wed, 6 Feb 2013 13:34:14 -0200
In-Reply-To: <CAJV9qO-mz=K_fJHO8g8XH8DtUxFPvN8hRF7K=gn0etAAqeb0zg@mail.gmail.com>
References: <CAJV9qO8UgLV6SdegZSk4KT3Qyb-M2KmPFPV9xDht_WjibeUWrg@mail.gmail.com> <51126D65.2090707@mitre.org> <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com> <5112746B.70403@mitre.org> <CAJV9qO-mz=K_fJHO8g8XH8DtUxFPvN8hRF7K=gn0etAAqeb0zg@mail.gmail.com>
To: Prabath Siriwardena <prabath@wso2.com>
MIME-Version: 1.0
X-KeepSent: 8CC0704A:7E320CB4-85257B0A:0055661B; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP2 SHF22 July 19, 2012
Message-ID: <OF8CC0704A.7E320CB4-ON85257B0A.0055661B-85257B0A.00558648@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Wed, 06 Feb 2013 10:34:09 -0500
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF4|December 14, 2012) at 02/06/2013 10:34:14, Serialize complete at 02/06/2013 10:34:14
Content-Type: multipart/alternative; boundary="=_alternative 0055864785257B0A_="
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13020615-7182-0000-0000-00000506413B
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A question on token revocation.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 15:34:27 -0000

> Resource owner needs to know the consumer key (represents the OAuth 
Client app) & scope to revoke the access token for a given client. 

I see - you're saying that requiring client credentials on the end point 
is the problem?





Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart@us.ibm.com




From:   Prabath Siriwardena <prabath@wso2.com>
To:     Justin Richer <jricher@mitre.org>, 
Cc:     "oauth@ietf.org WG" <oauth@ietf.org>
Date:   02/06/2013 10:31 AM
Subject:        Re: [OAUTH-WG] A question on token revocation.
Sent by:        oauth-bounces@ietf.org





On Wed, Feb 6, 2013 at 8:49 PM, Justin Richer <jricher@mitre.org> wrote:

On 02/06/2013 10:13 AM, Prabath Siriwardena wrote:


On Wed, Feb 6, 2013 at 8:19 PM, Justin Richer <jricher@mitre.org> wrote:
These are generally handled through a user interface where the RO is 
authenticated directly to the AS, and there's not much need for a 
"protocol" here, in practice. 

Why do you think leaving access token revocation by RO to a proprietary 
API is a good practice ? IMO this an essential requirement in API 
security.
I think it makes more sense in the same way that having a "proprietary" 
UI/API for managing the user consent makes sense: unless you're doing a 
fully dynamic end-to-end system like UMA, then there's not much value in 
trying to squeeze disparate systems into the same mold, since they won't 
be talking to each other anyway. 

This is required in distributed setup for each API platform from different 
vendors to perform in an interop manner.
 

And since you refer to it as an "API", what will the RO be using to call 
this API? Is there a token management client that's separate from the 
OAuth client? 

I didn't get your question right... If you meant the how to invoke 
revocation end point, the the resource owner needs to know the consumer 
key (represents the OAuth Client app) & scope to revoke the access token 
for a given client. 



IMHO token revocation done my RO is more practical than token revocation 
done by the Client.
They're both valid but require different kinds of protocols and 
considerations. This token revocation draft is meant to solve one problem, 
and that doesn't mean it can or should solve other seemingly related 
problems.

If you would like to see the RO-initiated token revocation go through (not 
grant revocation, mind you -- that's related, but different), then I would 
suggest that you start specifying exactly how that works. I predict it 
will be problematic in practice, though, as the RO often doesn't actually 
have direct access to the token itself. 

Resource owner needs to know the consumer key (represents the OAuth Client 
app) & scope to revoke the access token for a given client. 

 

 
There are larger applications, like UMA, that have client and PR 
provisioning that would allow for this to be managed somewhat 
programmatically, but even in that case you're still generally doing token 
revocation by a "client" in some fashion. In UMA, though, several 
different pieces can play the role of a "client" at different parts of the 
process.

Revoking a scope is a whole different mess. Generally, you'd want to just 
revoke an existing token and make a new authorization grant with lower 
access if you don't want that client getting that scope anymore. If you 
just want to downscope for a single transaction, you can already do that 
with either the refresh token or token chaining approaches, depending on 
where in the process you are. The latter of these are both client-focused, 
though, and the RO doesn't have a direct hand in it at this point.

Why do you think it a mess. If you revoke the entire token then Client 
needs to go through the complete OAuth flow - and also needs to get the 
user consent. If RO can  downgrade the scope, then we restrict API access 
by the client at RS end and its transparent to the client.


Downgrading the scope of tokens in the wild is hardly transparent to the 
client (stuff that it expects to work will suddenly start to fail, meaning 
that most clients will throw out the token and try to get a new one), and 
in a distributed system you've got to propagate that change to the RS. If 
you bake the scopes into the token itself (which many do) then you 
actually *can't* downgrade a single token, anyway. 

Yes.. that is the expected behavior. I mean the process is transparent. 
Client will notice at runtime.

Thanks & regards,
-Prabath
 

 -- Justin


Thanks & regards,
-Prabath
 


 -- Justin 


On 02/06/2013 04:35 AM, Prabath Siriwardena wrote:
I am sorry if this was already discussed in this list.. 

Looking at [1] it only talks about revoking the access token from the 
client.

How about the resource owner..?

There can be cases where resource owner needs to revoke an authorized 
access token from a given client. Or revoke an scope..

How are we going to address these requirements..? Thoughts appreciated...

[1] http://tools.ietf.org/html/draft-ietf-oauth-revocation-04

-- 
Thanks & Regards,
Prabath 

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





-- 
Thanks & Regards,
Prabath 

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com




-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email