Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)
Buhake Sindi <buhake@gmail.com> Fri, 15 January 2016 14:21 UTC
Return-Path: <buhake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2A81B2D56 for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DofNwxzLG7Vu for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51DC71B2D70 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id c192so283684516lfe.2 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:21:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4BSacrtK+LKaFYS8m7ZNUcdc9rkGZA3nrzFGUcrsdmo=; b=E/vcP0/LSoUKjxenmPbQDUc+i+N6eOXNIzSj+gc+B0PLHm/Aum4H+i63Lx0A1dKsp0 gqNDdPcOYyJ7VYBxjpiKSG2PStWBlAxPzE+tC6X+cq4Jb0Tu/3156Z5p6VSc/rmh6RKp O0JRUewJHguSXCCtADBgFxPkSqSqG9IxIgO+rDTXHHMpj7jdAtJ53io+oNTWRMA/d8Og IlS1Df2Q06W+hR5EC2lvYb0oFwEFXX0SWomnsH6AwZykjzcs52+vqJgstJeavd9nsgPM lD16uv9AvtIIMimNHWgPGRzPUA9oTO/cREuRJp6v4b82pmPRR8Pv6taVRumbdh0syu/j EQLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4BSacrtK+LKaFYS8m7ZNUcdc9rkGZA3nrzFGUcrsdmo=; b=Q1yoStQy6Usmt/Pwzh0Q+dV9mkGQIe1H2J5ryp5xPGOUX3nGYLthu1bDZKZnDFBcE0 FUaTrrJDdQAfR8Urif6Dxr7hHJ2Os+D5v+oP6rO6x5Zkeaglq1ijrXG4XT8gN6IlMmkU tHrwUGhC2/B2GDqeWOlGaKCLTnHJAyUU22FcNx8Spli+R0J2b7rE6J2yOL4/buxs4nNL N3CZBA4zqcPmFPThO3hhp+dzlh2Fklw3QPCt03H6mL8suVvG6ImnSqykoTavY2Zas7Co rWlwhP5wRvG2AamH3QFADP7WKIV4H/DcIsXPcRszBrVPaKQCSedH29gHkgVpMzVaYbIH pA5g==
X-Gm-Message-State: ALoCoQlRlanaiiVl2dFn4WpoK41MO89weP4oc43S7j41SGw7FdFo5WftaAnSIogrC4YhQlIx6wU5U2/YCBBPkjOTkSSq/tYbmA==
X-Received: by 10.25.41.203 with SMTP id p194mr3400016lfp.135.1452867680472; Fri, 15 Jan 2016 06:21:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.217.34 with HTTP; Fri, 15 Jan 2016 06:21:00 -0800 (PST)
In-Reply-To: <5698FEE5.9050305@gmail.com>
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com> <ade5692aa1afa2d9d79b8ac7a55bf150@lodderstedt.net> <5698CB3D.1030306@gmail.com> <CABUp4f4VPbDSyanidG3kWQ7GovGk1jf845=B7LwekS-1Ga2E_w@mail.gmail.com> <5698FEE5.9050305@gmail.com>
From: Buhake Sindi <buhake@gmail.com>
Date: Fri, 15 Jan 2016 16:21:00 +0200
Message-ID: <CABUp4f6jEwnt2agJbV7xu5GR_hnPsamBdZb-0THRS1OGs-ZiRw@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary="001a11411620001ac80529601e09"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/9QaxrNzDHJ6rN6uQ-gDBpGxdkKY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 14:21:25 -0000
Hi, Was just reading the specification (RFC 7662) and the following link "breaks" Chapter 2.3 2.3 <https://tools.ietf.org/html/rfc7662#section-2.3>. Error Response If the protected resource uses OAuth 2.0 client credentials to authenticate to the introspection endpoint and its credentials are invalid, the authorization server responds with an HTTP 401 (Unauthorized) as described in Section 5.2 <https://tools.ietf.org/html/rfc7662#section-5.2> of OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>]. Richer Standards Track [Page 8] ------------------------------ <https://tools.ietf.org/html/rfc7662#page-9>RFC 7662 <https://tools.ietf.org/html/rfc7662> OAuth Introspection October 2015 If the protected resource uses an OAuth 2.0 bearer token to authorize its call to the introspection endpoint and the token used for authorization does not contain sufficient privileges or is otherwise invalid for this request, the authorization server responds with an HTTP 401 code as described in Section 3 <https://tools.ietf.org/html/rfc7662#section-3> of OAuth 2.0 Bearer Token Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>]. The link of [Section 5.2] and [Section 3] both points to the same link (of RFC 7662) instead of the specified RFC. E.g. There is no Section 5.2 on RFC 7662 but the link points to it. Kind Regards, Buhake Sindi On 15 January 2016 at 16:15, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > Ouch, you are right, sorry for the confusion, > Thanks, Sergey > On 15/01/16 14:13, Buhake Sindi wrote: > >> Hi, >> >> Are you not mistaking this with RFC 7662? :-) >> >> Kind Regards, >> >> Buhake Sindi >> >> On 15 Jan 2016 12:34, "Sergey Beryozkin" <sberyozkin@gmail.com >> <mailto:sberyozkin@gmail.com>> wrote: >> >> Hi All, >> >> I'm reviewing RFC 7622 as we are going ahead with implementing it. >> I have a question: >> >> 1. Token Hint in the introspection request. >> The spec mentions 'refresh_token' as one of the possible values. But >> a protected resource does not see a refresh token (ever ?), it is >> Access Token service which does. >> When would a protected resource use a 'refresh_token' hint when >> requesting an introspection response ? >> >> Thanks, Sergey >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ >
- [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Brian Campbell
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Mike Jones
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Justin Richer
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Phil Hunt (IDM)
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation torsten
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Brian Campbell
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Bill Mills
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Antonio Sanso
- [OAUTH-WG] Question about RFC 7622 (Token Introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… John Bradley
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Buhake Sindi
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Buhake Sindi
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… John Bradley
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Justin Richer
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- [OAUTH-WG] Status of draft-tschofenig-oauth-audie… Sergey Beryozkin
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Hannes Tschofenig
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Roland Hedberg
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Brian Campbell
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… John Bradley
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Nat Sakimura
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… John Bradley
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Nat Sakimura
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Sergey Beryozkin
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Sergey Beryozkin