Re: [OAUTH-WG] Access Token Response without expires_in
Paul Madsen <paul.madsen@gmail.com> Wed, 18 January 2012 13:57 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9A9A21F869E for <oauth@ietfa.amsl.com>; Wed, 18 Jan 2012 05:57:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zr+Ipw-x3G-w for <oauth@ietfa.amsl.com>; Wed, 18 Jan 2012 05:57:08 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id D63A221F8694 for <oauth@ietf.org>; Wed, 18 Jan 2012 05:57:07 -0800 (PST)
Received: by vbbfr13 with SMTP id fr13so522663vbb.31 for <oauth@ietf.org>; Wed, 18 Jan 2012 05:57:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=6J/Eahbiz6JFnvWbjABIUzQLu7LGMG0jweZB1g2rPs4=; b=lmoJ4R8bpKSUJA68+oQTdg1qxfpO/IH269qMtUKcPkM0zOspuEL1X66u12sOY06RLR 0ak5z0fiomK48x2oVSkl6jlto/ztDMo2g3RTVF3nsToaWkYUq7C7ULfB5xFfvzTcQKat QGCxdZF3qvq2z8uh/+SvbfbvOwEy7E4cyQvLw=
Received: by 10.52.74.163 with SMTP id u3mr10496507vdv.91.1326895026067; Wed, 18 Jan 2012 05:57:06 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id iw8sm11876529vdb.7.2012.01.18.05.57.00 (version=SSLv3 cipher=OTHER); Wed, 18 Jan 2012 05:57:01 -0800 (PST)
Message-ID: <4F16CFAB.5010506@gmail.com>
Date: Wed, 18 Jan 2012 08:56:59 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: William Mills <wmills@yahoo-inc.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <4F157659.7050701@gmail.com> <1451834425-1326818330-cardhu_decombobulator_blackberry.rim.net-253428785-@b4.c11.bise7.blackberry> <4F15A655.4060404@gmail.com>, <2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com> <B33BFB58CCC8BE4998958016839DE27E09EC78@IMCMBX01.MITRE.ORG> <1326833912.76041.YahooMailNeo@web31813.mail.mud.yahoo.com>
In-Reply-To: <1326833912.76041.YahooMailNeo@web31813.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------070400010507070202070705"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2012 13:57:08 -0000
which argues for expressing both explicitly On 1/17/12 3:58 PM, William Mills wrote: > > One use tokens can also expire before they are used. "You have 5 > minutes to do this once." > > ------------------------------------------------------------------------ > *From:* Torsten Lodderstedt [torsten@lodderstedt.net] > *Sent:* Tuesday, January 17, 2012 12:26 PM > *To:* Paul Madsen > *Cc:* oauth-bounces@ietf.org; Richer, Justin P.; OAuth WG > *Subject:* Re: AW: Re: [OAUTH-WG] Access Token Response without expires_in > > Hi Paul, > > that's not what I meant. The Client should know which tokens should be > one time usage based on the API description. The authz server must not > return expires_in because this would not make any sense in this case. > > regards, > Torsten > > > > > Paul Madsen <paul.madsen@gmail.com> schrieb: > > Hi Torsten, yes the use case in question is payment-based as well. > > Your suggestion for the client to infer one-time usage from a > missing expires_in contradicts the general consensus of this > thread does it not? > > paul > > On 1/17/12 11:38 AM, torsten@lodderstedt.net > <mailto:torsten@lodderstedt.net> wrote: >> Hi, >> >> isn't one-time semantics typically associated with certain requests on certain resources/resource types. I therefore would assume the client to know which tokens to use one-time only. The authz server should not return an expires_in paramter. We for example use one time access tokens for payment transactions. >> >> What would such an extension specify? >> >> regards, >> Torsten. >> Gesendet mit BlackBerry® Webmail von Telekom Deutschland >> >> -----Original Message----- >> From: Paul Madsen<paul.madsen@gmail.com> <mailto:paul.madsen@gmail.com> >> Sender:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> >> Date: Tue, 17 Jan 2012 08:23:37 >> To: Richer, Justin P.<jricher@mitre.org> <mailto:jricher@mitre.org> >> Cc: OAuth WG<oauth@ietf.org> <mailto:oauth@ietf.org> >> Subject: Re: [OAUTH-WG] Access Token Response without expires_in >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- [OAUTH-WG] Access Token Response without expires_… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Aaron Parecki
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… Eran Hammer
- Re: [OAUTH-WG] Access Token Response without expi… Mike Jones
- Re: [OAUTH-WG] Access Token Response without expi… John Bradley
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Richer, Justin P.
- Re: [OAUTH-WG] Access Token Response without expi… William Mills
- Re: [OAUTH-WG] Access Token Response without expi… Torsten Lodderstedt
- Re: [OAUTH-WG] Access Token Response without expi… Paul Madsen
- Re: [OAUTH-WG] Access Token Response without expi… Justin Richer