Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
Todd W Lainhart <lainhart@us.ibm.com> Wed, 07 August 2013 13:40 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FC421E8129 for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 06:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6mg87+LrsBY for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 06:40:45 -0700 (PDT)
Received: from e7.ny.us.ibm.com (e7.ny.us.ibm.com [32.97.182.137]) by ietfa.amsl.com (Postfix) with ESMTP id BB22721F9C34 for <oauth@ietf.org>; Wed, 7 Aug 2013 06:40:44 -0700 (PDT)
Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Wed, 7 Aug 2013 09:40:43 -0400
Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 7 Aug 2013 09:40:40 -0400
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id DF3E56E8041; Wed, 7 Aug 2013 09:40:34 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r77DedIf070238; Wed, 7 Aug 2013 09:40:40 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r77DecAe017521; Wed, 7 Aug 2013 10:40:38 -0300
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r77DeaJa017453; Wed, 7 Aug 2013 10:40:36 -0300
In-Reply-To: <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
References: <5200DD6C.3010003@gmail.com> <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
MIME-Version: 1.0
X-KeepSent: DF319810:D5537EBC-85257BC0:004AB0BC; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Wed, 07 Aug 2013 09:40:34 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 08/07/2013 09:40:36, Serialize complete at 08/07/2013 09:40:36
Content-Type: multipart/alternative; boundary="=_alternative 004B203B85257BC0_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13080713-5806-0000-0000-00002255C6B5
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 13:40:50 -0000
Assuming of course that the AS was notified by the IdP (or could inquire from same, say, during introspection) that something about the user's account had changed - there's nothing in the protocol that speaks to that. Would anyone be surprised if the authorizations granted to the previous confirmation of identity were now void? That seems like the simplest way to handle it. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com From: Barry Leiba <barryleiba@computer.org> To: Sergey Beryozkin <sberyozkin@gmail.com>, Cc: "<oauth@ietf.org>" <oauth@ietf.org> Date: 08/06/2013 08:50 AM Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change Sent by: oauth-bounces@ietf.org > Suppose a given user has approved a client's grant request and that client > is now working with the access token tied to the user's login name (or some > other representation of that user's login credentials). > > What would be the recommended course of action when that user's credentials > (example, the user's login name) change, as far as the existing access > tokens tied to that user are concerned ? An interesting question. I think it's not the OAuth protocol's concern, but a document describing operations and deployment might suggest what to do. Groping here (I'm not a UI expert): I expect that some changes (and/or some reasons for changes) would make no difference to the authorizations the user has approved. If I change my username from "barryleiba" to "bigkahuna" because I want to be cool, I would want my authorizations to persist. If I change my password because I routinely change my password, I would want my authorizations to persist. If I change my password because I think my old password was compromised, I would want to review my authorizations and make sure nothing untoward is there. Alternatively, I might just want to invalidate all of them and re-establish them as needed afterward. So it would probably be good for the system in question to ask me what to do about the authorizations I've given out, and allow me to review them and address them one by one, and/or make a blanket decision for the lot. Maybe: Your password has been changed. Do you want to revoke authorizations you have approved? [YES / NO] Or maybe: Your password has been changed. Do you want to review authorizations you have approved? [YES / NO] -- Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] What should happen to access tokens wh… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Barry Leiba
- Re: [OAUTH-WG] What should happen to access token… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Todd W Lainhart
- Re: [OAUTH-WG] What should happen to access token… Bill Mills
- Re: [OAUTH-WG] What should happen to access token… Phil Hunt