Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)

Buhake Sindi <buhake@gmail.com> Fri, 15 January 2016 14:21 UTC

Return-Path: <buhake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2A81B2D56 for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DofNwxzLG7Vu for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51DC71B2D70 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id c192so283684516lfe.2 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4BSacrtK+LKaFYS8m7ZNUcdc9rkGZA3nrzFGUcrsdmo=; b=E/vcP0/LSoUKjxenmPbQDUc+i+N6eOXNIzSj+gc+B0PLHm/Aum4H+i63Lx0A1dKsp0 gqNDdPcOYyJ7VYBxjpiKSG2PStWBlAxPzE+tC6X+cq4Jb0Tu/3156Z5p6VSc/rmh6RKp O0JRUewJHguSXCCtADBgFxPkSqSqG9IxIgO+rDTXHHMpj7jdAtJ53io+oNTWRMA/d8Og IlS1Df2Q06W+hR5EC2lvYb0oFwEFXX0SWomnsH6AwZykjzcs52+vqJgstJeavd9nsgPM lD16uv9AvtIIMimNHWgPGRzPUA9oTO/cREuRJp6v4b82pmPRR8Pv6taVRumbdh0syu/j EQLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4BSacrtK+LKaFYS8m7ZNUcdc9rkGZA3nrzFGUcrsdmo=; b=Q1yoStQy6Usmt/Pwzh0Q+dV9mkGQIe1H2J5ryp5xPGOUX3nGYLthu1bDZKZnDFBcE0 FUaTrrJDdQAfR8Urif6Dxr7hHJ2Os+D5v+oP6rO6x5Zkeaglq1ijrXG4XT8gN6IlMmkU tHrwUGhC2/B2GDqeWOlGaKCLTnHJAyUU22FcNx8Spli+R0J2b7rE6J2yOL4/buxs4nNL N3CZBA4zqcPmFPThO3hhp+dzlh2Fklw3QPCt03H6mL8suVvG6ImnSqykoTavY2Zas7Co rWlwhP5wRvG2AamH3QFADP7WKIV4H/DcIsXPcRszBrVPaKQCSedH29gHkgVpMzVaYbIH pA5g==
X-Gm-Message-State: ALoCoQlRlanaiiVl2dFn4WpoK41MO89weP4oc43S7j41SGw7FdFo5WftaAnSIogrC4YhQlIx6wU5U2/YCBBPkjOTkSSq/tYbmA==
X-Received: by 10.25.41.203 with SMTP id p194mr3400016lfp.135.1452867680472; Fri, 15 Jan 2016 06:21:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.217.34 with HTTP; Fri, 15 Jan 2016 06:21:00 -0800 (PST)
In-Reply-To: <5698FEE5.9050305@gmail.com>
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com> <ade5692aa1afa2d9d79b8ac7a55bf150@lodderstedt.net> <5698CB3D.1030306@gmail.com> <CABUp4f4VPbDSyanidG3kWQ7GovGk1jf845=B7LwekS-1Ga2E_w@mail.gmail.com> <5698FEE5.9050305@gmail.com>
From: Buhake Sindi <buhake@gmail.com>
Date: Fri, 15 Jan 2016 16:21:00 +0200
Message-ID: <CABUp4f6jEwnt2agJbV7xu5GR_hnPsamBdZb-0THRS1OGs-ZiRw@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary="001a11411620001ac80529601e09"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/9QaxrNzDHJ6rN6uQ-gDBpGxdkKY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 14:21:25 -0000

Hi,

Was just reading the specification (RFC 7662) and the following link
"breaks"

Chapter 2.3


2.3 <https://tools.ietf.org/html/rfc7662#section-2.3>.  Error Response

   If the protected resource uses OAuth 2.0 client credentials to
   authenticate to the introspection endpoint and its credentials are
   invalid, the authorization server responds with an HTTP 401
   (Unauthorized) as described in Section 5.2
<https://tools.ietf.org/html/rfc7662#section-5.2> of OAuth 2.0
[RFC6749 <https://tools.ietf.org/html/rfc6749>].




Richer                       Standards Track                    [Page 8]

------------------------------

  <https://tools.ietf.org/html/rfc7662#page-9>RFC 7662
<https://tools.ietf.org/html/rfc7662>                   OAuth
Introspection              October 2015


   If the protected resource uses an OAuth 2.0 bearer token to authorize
   its call to the introspection endpoint and the token used for
   authorization does not contain sufficient privileges or is otherwise
   invalid for this request, the authorization server responds with an
   HTTP 401 code as described in Section 3
<https://tools.ietf.org/html/rfc7662#section-3> of OAuth 2.0 Bearer
Token
   Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>].


The link of [Section 5.2] and [Section 3] both points to the same link
(of RFC 7662) instead of the specified RFC. E.g. There is no Section
5.2 on RFC 7662 but the link points to it.



Kind Regards,



Buhake Sindi



On 15 January 2016 at 16:15, Sergey Beryozkin <sberyozkin@gmail.com> wrote:

> Ouch, you are right, sorry for the confusion,
> Thanks, Sergey
> On 15/01/16 14:13, Buhake Sindi wrote:
>
>> Hi,
>>
>> Are you not mistaking this with RFC 7662? :-)
>>
>> Kind Regards,
>>
>> Buhake Sindi
>>
>> On 15 Jan 2016 12:34, "Sergey Beryozkin" <sberyozkin@gmail.com
>> <mailto:sberyozkin@gmail.com>> wrote:
>>
>>     Hi All,
>>
>>     I'm reviewing RFC 7622 as we are going ahead with implementing it.
>>     I have a question:
>>
>>     1. Token Hint in the introspection request.
>>     The spec mentions 'refresh_token' as one of the possible values. But
>>     a protected resource does not see a refresh token (ever ?), it is
>>     Access Token service which does.
>>     When would a protected resource use a 'refresh_token' hint when
>>     requesting an introspection response ?
>>
>>     Thanks, Sergey
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>