Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Anthony Nadalin <tonynad@microsoft.com> Tue, 29 January 2013 00:10 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBCCC21E8047 for <oauth@ietfa.amsl.com>; Mon, 28 Jan 2013 16:10:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgf3mMaUQE4R for <oauth@ietfa.amsl.com>; Mon, 28 Jan 2013 16:10:45 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.30]) by ietfa.amsl.com (Postfix) with ESMTP id C28F021E8044 for <oauth@ietf.org>; Mon, 28 Jan 2013 16:10:44 -0800 (PST)
Received: from BL2FFO11FD003.protection.gbl (10.173.161.203) by BL2FFO11HUB020.protection.gbl (10.173.160.112) with Microsoft SMTP Server (TLS) id 15.0.596.13; Tue, 29 Jan 2013 00:10:41 +0000
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD003.mail.protection.outlook.com (10.173.160.103) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Tue, 29 Jan 2013 00:10:40 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.61) with Microsoft SMTP Server (TLS) id 14.2.318.3; Tue, 29 Jan 2013 00:10:10 +0000
Received: from mail52-ch1-R.bigfish.com (10.43.68.243) by CH1EHSOBE008.bigfish.com (10.43.70.58) with Microsoft SMTP Server id 14.1.225.23; Tue, 29 Jan 2013 00:08:45 +0000
Received: from mail52-ch1 (localhost [127.0.0.1]) by mail52-ch1-R.bigfish.com (Postfix) with ESMTP id DF8F41E01B4 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 29 Jan 2013 00:08:44 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -17
X-BigFish: PS-17(zz9371Id6eahc85fh148cIzz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL17326ah8275dh18c673h8275bhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail52-ch1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB043; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail52-ch1 (localhost.localdomain [127.0.0.1]) by mail52-ch1 (MessageSwitch) id 1359418122499959_2070; Tue, 29 Jan 2013 00:08:42 +0000 (UTC)
Received: from CH1EHSMHS001.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.232]) by mail52-ch1.bigfish.com (Postfix) with ESMTP id 6CCF74C03D9; Tue, 29 Jan 2013 00:08:42 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS001.bigfish.com (10.43.70.1) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 29 Jan 2013 00:08:42 +0000
Received: from BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.257.4; Tue, 29 Jan 2013 00:08:34 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) with Microsoft SMTP Server (TLS) id 15.0.614.5; Tue, 29 Jan 2013 00:08:32 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.8.165]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.8.165]) with mapi id 15.00.0614.003; Tue, 29 Jan 2013 00:08:31 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
Thread-Index: Ac35p+wOnP9UzK9BQMG59YbBjTobdAAHPkAQAIurswAAcAY7wA==
Date: Tue, 29 Jan 2013 00:08:31 +0000
Message-ID: <38216794ddab41239562c5d9a03575b4@BY2PR03MB041.namprd03.prod.outlook.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com> <51042160.5020908@lodderstedt.net>
In-Reply-To: <51042160.5020908@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.124.4]
Content-Type: multipart/alternative; boundary="_000_38216794ddab41239562c5d9a03575b4BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB043.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%LODDERSTEDT.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC106.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC106.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(52604002)(377454001)(189002)(56816002)(5343655001)(56776001)(63696002)(50986001)(20776003)(16236675001)(512954001)(53806001)(54356001)(16676001)(76482001)(51856001)(4396001)(74662001)(15202345001)(44976002)(54316002)(31966008)(49866001)(74502001)(5343635001)(77982001)(59766001)(33646001)(79102001)(47976001)(47736001)(6806001)(550184003)(46102001)(47446002)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB020; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:; A:1; MX:3; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0741C77572
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2013 00:10:47 -0000

1. OK with new wording
2. My comment was meant for "token_type" (i.e. "bearer", "ID_Token", etc)?
3. Would like to see a way to revoke via auth_token in case someone wants to revoke before it is used, right now I have to retrieve it then revoke it
4. OK
5. OK with new text
6. I think clarifying words would help here
7. I prefer the wording you responded with and not the current text as it puts a requirement on the client

From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
Sent: Saturday, January 26, 2013 10:33 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Hi Tony,

thanks for your review comments.

*** @Justin: thanks for jumping in. ***

I would like to recap the results of the discussion so far and propose some changes.
Am 24.01.2013 00:54, schrieb Anthony Nadalin:
Review:


1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?

Having read your arguments I realize the current text is a bit specific about the means to obtain the endpoint location (as it does not mention other means).

current text:



The location of

   the token revocation endpoint can be found in the authorization

   server's documentation.  The token endpoint URI MAY include a query

   component.

proposal:

The means to obtain the location of the revocation endpoint is out of scope of this specification.



There is a range of options. The client could, for example,

automatically discover this information (along with other server

andpoints and properties). Alternatively, the client developer could

also get to know the endpoint location from the server's documentation.



Note: As this endpoint is handling security sensible credentials, such information must be obtained from a trustworthy resource.



2.       Any token type that is supported can be revoked, including refresh token ?

The draft currently explicitly states support for access and refresh tokens. Do you want the draft to be weaker at this point and to allow for the revocation of any token?



3.       Why does one have to send the token, can't this just be an auth_code ?

The draft is intended to support token revocation. I agree with Justin. Authz codes are short duration and one time use. I don't see a need to revoke them. I also don't see the need to use them to revoke the respective access token indirectly.



4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS

I'm fine with MAY since I tend to see CORS as an optional feature. What do others think?



5.       Does not say but is the revocation to be immediate upon the return of the request ?

The client must assume the revocation is immediate upon the return of the request. I could explicitly express this in the text

current text



In the next step, the authorization server invalidates the token.

   The client MUST NOT use this token again after revocation.

Proposal



  In the next step, the authorization server invalidates the token. The

client must assume the revocation is immediate upon the return of the

request. The client MUST NOT use the token again after the revocation.



6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?

As described by Justin, there are two use cases:

- if the token passed to the request is a refresh token and the server supports access token revocation, the server SHOULD also revoke them.
- if the token passed to the request is an access token, the server may decide to revoke the respective refresh token as well.

I think every client must be prepared to cope with "sudden" invalidation of any token type. So having different server policies with respect to related tokens shouldn't create interop problems.

What changes would you expect?



7.       Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.

The client should discard the token immediately after revocation.

regards.
Torsten.





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth