Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)

John Bradley <ve7jtb@ve7jtb.com> Fri, 15 January 2016 14:44 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A8B1ACE39 for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aC_QwhkKqW2H for <oauth@ietfa.amsl.com>; Fri, 15 Jan 2016 06:44:37 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C3C1ACE38 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:44:37 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id q19so263175644qke.3 for <oauth@ietf.org>; Fri, 15 Jan 2016 06:44:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=umeIK9stWWLPXHwRQ4buEygY44S7+V4WYo0NRzA0dNM=; b=zB8npcf23dNEW0VC73Qw3rGupSNEXrtJqThMKb1Yqb6bf2yR/5OF/dHGLJdMgJkb9d DNAp0sawlnALbf8h5tgNoZbOMk/OAfh2psySLXvFPh/dMF25k1JVl4yJnPh/in4x8M+W WWvr7M1eZCqJ24k2uxwfkoxA7A9veU6KWQalP1baMqb7+g33oTofCgAkj5jp0lBzsU4C NSxIOzjDg9Onln8BaH3AXtukJlnLQ6USs2oRmuEG6EBZrxu0XrXgiIyzoQShymUXszLD Q5A7RbnMmnnpi5vZzMyt5mRqhO3CJu3WoOQ9HQo9TWfI3htv2jnrkC/8rqGHBeWR/S1H /rew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=umeIK9stWWLPXHwRQ4buEygY44S7+V4WYo0NRzA0dNM=; b=Puv7/NZGpH4643OjK3X5pJw+fJro0Hkg2HCg/TWk1Fpi4FuTJri+vrSQOJCnpt641M j00LhIaQiFz31cVaw/yt6FFUTim2+vcQxR20XhsT4WztzFbPRlhVPi/KaLB0UWsncijy fZNCEPcr7Mf3QXgUJxrJvNlWvcbR4dSMT4Cfk0hwiAnIrAs9UNkV31J/cqQwbejIijv5 7EiMa3st/I3YeHcbVXtT7jsv2GzO/hqWRjHFqNLd+X4zX5rWksGMOXlHhDRo8HzZUgJA dxkLUkq/gjTm3k0GTbUvEgpOVcUzLGBE/DFUb5q3GaeHxkSqkfasA+bzAf4J/RbTckiN QkvQ==
X-Gm-Message-State: ALoCoQk5lefzS7WirnxWiMfW9jPW7PcRiFBHULUIh93WTEW9gfJSgjTcwcD0cb7fk/up2qH8D1Pt4daHiWYk5zrsPVvOamdbig==
X-Received: by 10.55.31.9 with SMTP id f9mr13742953qkf.5.1452869076282; Fri, 15 Jan 2016 06:44:36 -0800 (PST)
Received: from [107.17.140.60] ([107.17.140.60]) by smtp.gmail.com with ESMTPSA id c2sm4641377qkb.41.2016.01.15.06.44.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Jan 2016 06:44:35 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_A3700AFB-7924-45EF-96DC-F96AD11E98F9"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABUp4f6jEwnt2agJbV7xu5GR_hnPsamBdZb-0THRS1OGs-ZiRw@mail.gmail.com>
Date: Fri, 15 Jan 2016 09:44:34 -0500
Message-Id: <60119AA4-AD27-4C60-BD7E-B0C1D784AB35@ve7jtb.com>
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com> <ade5692aa1afa2d9d79b8ac7a55bf150@lodderstedt.net> <5698CB3D.1030306@gmail.com> <CABUp4f4VPbDSyanidG3kWQ7GovGk1jf845=B7LwekS-1Ga2E_w@mail.gmail.com> <5698FEE5.9050305@gmail.com> <CABUp4f6jEwnt2agJbV7xu5GR_hnPsamBdZb-0THRS1OGs-ZiRw@mail.gmail.com>
To: Buhake Sindi <buhake@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/B5WcGIAuzj8miRCrJLnATyXD2m0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Question about RFC 7622 (Token Introspection)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 14:44:40 -0000

Currently the canonical form of RFC is ASCII and there is a external tool that tries to do HTML markup on the ascii version.

When authoring something that works in english may well not get the right HTML markup.
The Authors do there best but there is no way to fix by editing the HTML as a reasonable person might expect.

The process is changing to make the XML the canonical form so that HTML can be produced with correct markup.

Going forward I hope these markup problems are eliminated in new drafts.

John B.

> On Jan 15, 2016, at 9:21 AM, Buhake Sindi <buhake@gmail.com> wrote:
> 
> Hi,
> 
> Was just reading the specification (RFC 7662) and the following link "breaks"
> 
> Chapter 2.3
> 
> 
> 2.3 <https://tools.ietf.org/html/rfc7662#section-2.3>.  Error Response
> 
>    If the protected resource uses OAuth 2.0 client credentials to
>    authenticate to the introspection endpoint and its credentials are
>    invalid, the authorization server responds with an HTTP 401
>    (Unauthorized) as described in Section 5.2 <https://tools.ietf.org/html/rfc7662#section-5.2> of OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>].
> 
> 
> 
> 
> 
> Richer                       Standards Track                    [Page 8]
>   <https://tools.ietf.org/html/rfc7662#page-9>
> RFC 7662 <https://tools.ietf.org/html/rfc7662>                   OAuth Introspection              October 2015
> 
> 
>    If the protected resource uses an OAuth 2.0 bearer token to authorize
>    its call to the introspection endpoint and the token used for
>    authorization does not contain sufficient privileges or is otherwise
>    invalid for this request, the authorization server responds with an
>    HTTP 401 code as described in Section 3 <https://tools.ietf.org/html/rfc7662#section-3> of OAuth 2.0 Bearer Token
>    Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>].
> 
> The link of [Section 5.2] and [Section 3] both points to the same link (of RFC 7662) instead of the specified RFC. E.g. There is no Section 5.2 on RFC 7662 but the link points to it.
> 
> 
> Kind Regards,
> 
> 
> Buhake Sindi
> 
> 
> On 15 January 2016 at 16:15, Sergey Beryozkin <sberyozkin@gmail.com <mailto:sberyozkin@gmail.com>> wrote:
> Ouch, you are right, sorry for the confusion,
> Thanks, Sergey
> On 15/01/16 14:13, Buhake Sindi wrote:
> Hi,
> 
> Are you not mistaking this with RFC 7662? :-)
> 
> Kind Regards,
> 
> Buhake Sindi
> 
> On 15 Jan 2016 12:34, "Sergey Beryozkin" <sberyozkin@gmail.com <mailto:sberyozkin@gmail.com>
> <mailto:sberyozkin@gmail.com <mailto:sberyozkin@gmail.com>>> wrote:
> 
>     Hi All,
> 
>     I'm reviewing RFC 7622 as we are going ahead with implementing it.
>     I have a question:
> 
>     1. Token Hint in the introspection request.
>     The spec mentions 'refresh_token' as one of the possible values. But
>     a protected resource does not see a refresh token (ever ?), it is
>     Access Token service which does.
>     When would a protected resource use a 'refresh_token' hint when
>     requesting an introspection response ?
> 
>     Thanks, Sergey
> 
> 
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>
>     https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> -- 
> Sergey Beryozkin
> 
> Talend Community Coders
> http://coders.talend.com/ <http://coders.talend.com/>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth