Re: [OAUTH-WG] delete access tokens?

Justin Richer <jricher@mitre.org> Fri, 02 December 2011 18:45 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C701F0C36 for <oauth@ietfa.amsl.com>; Fri, 2 Dec 2011 10:45:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2XXv+haRmh6 for <oauth@ietfa.amsl.com>; Fri, 2 Dec 2011 10:45:23 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id ED44F21F8C33 for <oauth@ietf.org>; Fri, 2 Dec 2011 10:45:22 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id CA2FC21B1442 for <oauth@ietf.org>; Fri, 2 Dec 2011 13:45:21 -0500 (EST)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AAAE921B18A6 for <oauth@ietf.org>; Fri, 2 Dec 2011 13:45:21 -0500 (EST)
Received: from [129.83.50.8] (129.83.50.8) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 2 Dec 2011 13:45:22 -0500
Message-ID: <4ED91CB4.7090301@mitre.org>
Date: Fri, 02 Dec 2011 13:45:08 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <AEDA1B65E9329448939CEFA895C129E203850B09@studentserver.studentennet.local> <63366D5A116E514AA4A9872D3C5335395BB5495FBE@QEO40072.de.t-online.corp>
In-Reply-To: <63366D5A116E514AA4A9872D3C5335395BB5495FBE@QEO40072.de.t-online.corp>
Content-Type: multipart/alternative; boundary="------------000408030103020805040505"
Subject: Re: [OAUTH-WG] delete access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 18:45:23 -0000

Specifically, the DELETE method was rejected as tokens aren't 
necessarily directly URL-addressable from the token endpoint. 
Shoehorning that requirement in order to make it feel more RESTful was 
more of a hack than a few folks (myself included) really wanted to make.

  -- Justin

On 11/29/2011 08:08 AM, Lodderstedt, Torsten wrote:
>
> Hi Bart,
>
> I think this would be a truly RESTful approach. The group discussed 
> this topic several months ago and consensus was to use another 
> endpoint for token revocation (== deletion). Pls. take a look onto 
> http://tools.ietf.org/html/draft-lodderstedt-oauth-revocation-02.
>
> regards,
>
> Torsten.
>
> *Von:*Bart Wiegmans [mailto:bart@all4students.nl]
> *Gesendet:* Dienstag, 29. November 2011 11:32
> *An:* oauth WG
> *Betreff:* [OAUTH-WG] delete access tokens?
>
> Hello everybody, again.
>
> This is just me pushing a random idea, but what if you specified that 
> clients could ask for access token invalidation by making a DELETE 
> request to the token endpoint?
>
> Bart Wiegmans
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth