Re: [OAUTH-WG] Clarification about compatibility between rfc6750 and rfc7662
Justin Richer <jricher@mit.edu> Wed, 15 February 2017 13:28 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E90129A2D for <oauth@ietfa.amsl.com>; Wed, 15 Feb 2017 05:28:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0XgJGpODulC for <oauth@ietfa.amsl.com>; Wed, 15 Feb 2017 05:28:27 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92ED5129A2B for <oauth@ietf.org>; Wed, 15 Feb 2017 05:28:27 -0800 (PST)
X-AuditID: 12074424-6b3ff70000001bfb-77-58a4577abac6
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 67.B4.07163.A7754A85; Wed, 15 Feb 2017 08:28:26 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v1FDSPYk017655; Wed, 15 Feb 2017 08:28:26 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v1FDSNrG026105 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 15 Feb 2017 08:28:25 -0500
To: Maduranga Siriwardena <maduranga.siriwardena@gmail.com>, oauth@ietf.org
References: <CAFxuRFgWVC_bvLXimkoDurjT=b43xkCkmTYHk4sUv=dK50x7JQ@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <37a525b5-7352-0f4a-7a91-2fc600fb8b5d@mit.edu>
Date: Wed, 15 Feb 2017 08:28:17 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAFxuRFgWVC_bvLXimkoDurjT=b43xkCkmTYHk4sUv=dK50x7JQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9F736E847735C4E80C3FD697"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrFsVviTC4F6HisXE+1+ZLE6+fcXm wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGXsnbqNqeCdYcXGGacYGxiXqXYxcnBICJhI vL3v38XIySEk0MYk0fI6tIuRC8jeyChx59hnVgjnNpPEhv1fWUGqhAXCJY4fPs4EYosIeEvM bbvGDtEdILHn5j1GEJtNQFVi+poWsBpeASuJqbvfg9ksQPG98zeD2aICMRJ7++9D1QhKnJz5 hAXkIE6BQIlljSEgYWaBMIll2+4wTmDkm4WkahaSFIRtK3Fn7m5mCFteYvvbOVC2rsSibSvY YeLNW2czL2BkW8Uom5JbpZubmJlTnJqsW5ycmJeXWqRrrpebWaKXmlK6iREUvOwuKjsYu3u8 DzEKcDAq8fAWSC+OEGJNLCuuzD3EKMnBpCTKu95nSYQQX1J+SmVGYnFGfFFpTmrxIUYJDmYl Ed7boUA53pTEyqrUonyYlDQHi5I4r7hGY4SQQHpiSWp2ampBahFMVoaDQ0mCd0oYUKNgUWp6 akVaZk4JQpqJgxNkOA/Q8Ldgw4sLEnOLM9Mh8qcYFaXEedVBmgVAEhmleXC9oOSS8Paw6StG caBXhHlbQap4gIkJrvsV0GAmoMGscQtBBpckIqSkGhhXeESdqupV0n1nrbaRP+ZFfa5yxhu5 e0+dDDu2FWsEvIkSLegPbD7z5R3fLM7bjec1rnKk7eiSf21x1tGXVeP09XeJkW1Xzp/L/7SX NTDPp/X+J3GN6SdTF5y+8F3gQ8uzaV/MqyvDaneV2u2dXfJKTSVvSS1nt3jI1h0mc6x4jS7Y vjlhJKnEUpyRaKjFXFScCADWs84nCQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DIgmrVZbhzIWL58jTkved4aMk9k>
Subject: Re: [OAUTH-WG] Clarification about compatibility between rfc6750 and rfc7662
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 13:28:29 -0000
These specs cover two different connections: 6750 is client to RS, 7662 is RS to AS. When the authorization server and the resource server are the same box, it will know exactly why the token isn't any good and it can react accordingly. The client doesn't actually care: note that the error response in the example is descriptive text and not a value to be parsed and acted upon. In the case where they're a separate box (which is what introspection is set up for), the RS might not be allowed to know the details about the token not being good, and in any event it doesn't change how the RS responds to that situation. So to use them together, you would respond with "active: false" from introspection and return a WWW-Authenticate header with "invalid_token" from the resource to the client, no description field needed. -- Justin On 2/13/2017 4:59 PM, Maduranga Siriwardena wrote: > Hi All, > > While going through [1] and [2] I noticed a small contradiction > between the standards. > > Section 3 (The WWW-Authenticate Response Header Field) of [1] provides > a example with WWW-Authenticate header description error description > with "The access token expired". > > This error description should have been obtained from the response of > introspection request sent to the authorization server. But according > the section 2.2 (Introspection Response) of [2], it is not recommended > to include any additional information about an inactive token, > including why the token is inactive. > > So how these scenarios match with each other? > > [1] https://tools.ietf.org/html/rfc6750 > <https://tools.ietf.org/html/rfc6750> > [2] https://tools.ietf.org/html/rfc7662 > <https://tools.ietf.org/html/rfc7662> > > Thanks, > -- > Maduranga Siriwardena > Software Engineer > WSO2 Inc. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Clarification about compatibility betw… Maduranga Siriwardena
- Re: [OAUTH-WG] Clarification about compatibility … Justin Richer