IETF Logo Mail Archive

Re: [OAUTH-WG] A question on token revocation.

Justin Richer <jricher@mitre.org> Wed, 06 February 2013 15:19 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01DF21F892B for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:19:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.572
X-Spam-Level:
X-Spam-Status: No, score=-6.572 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a33bNESq1fvJ for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:19:44 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 856A021F88E6 for <oauth@ietf.org>; Wed, 6 Feb 2013 07:19:44 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1517C451000D; Wed, 6 Feb 2013 10:19:44 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id ECD2D1F2CA5; Wed, 6 Feb 2013 10:19:43 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.4; Wed, 6 Feb 2013 10:19:43 -0500
Message-ID: <5112746B.70403@mitre.org>
Date: Wed, 06 Feb 2013 10:19:07 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Prabath Siriwardena <prabath@wso2.com>
References: <CAJV9qO8UgLV6SdegZSk4KT3Qyb-M2KmPFPV9xDht_WjibeUWrg@mail.gmail.com> <51126D65.2090707@mitre.org> <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com>
In-Reply-To: <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050909000801090906040907"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A question on token revocation.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 15:19:45 -0000

On 02/06/2013 10:13 AM, Prabath Siriwardena wrote:
>
>
> On Wed, Feb 6, 2013 at 8:19 PM, Justin Richer <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>     These are generally handled through a user interface where the RO
>     is authenticated directly to the AS, and there's not much need for
>     a "protocol" here, in practice.
>
>
> Why do you think leaving access token revocation by RO to a 
> proprietary API is a good practice ? IMO this an essential requirement 
> in API security.
I think it makes more sense in the same way that having a "proprietary" 
UI/API for managing the user consent makes sense: unless you're doing a 
fully dynamic end-to-end system like UMA, then there's not much value in 
trying to squeeze disparate systems into the same mold, since they won't 
be talking to each other anyway.

And since you refer to it as an "API", what will the RO be using to call 
this API? Is there a token management client that's separate from the 
OAuth client?

>
> IMHO token revocation done my RO is more practical than token 
> revocation done by the Client.
They're both valid but require different kinds of protocols and 
considerations. This token revocation draft is meant to solve one 
problem, and that doesn't mean it can or should solve other seemingly 
related problems.

If you would like to see the RO-initiated token revocation go through 
(not grant revocation, mind you -- that's related, but different), then 
I would suggest that you start specifying exactly how that works. I 
predict it will be problematic in practice, though, as the RO often 
doesn't actually have direct access to the token itself.

>     There are larger applications, like UMA, that have client and PR
>     provisioning that would allow for this to be managed somewhat
>     programmatically, but even in that case you're still generally
>     doing token revocation by a "client" in some fashion. In UMA,
>     though, several different pieces can play the role of a "client"
>     at different parts of the process.
>
>     Revoking a scope is a whole different mess. Generally, you'd want
>     to just revoke an existing token and make a new authorization
>     grant with lower access if you don't want that client getting that
>     scope anymore. If you just want to downscope for a single
>     transaction, you can already do that with either the refresh token
>     or token chaining approaches, depending on where in the process
>     you are. The latter of these are both client-focused, though, and
>     the RO doesn't have a direct hand in it at this point.
>
>
> Why do you think it a mess. If you revoke the entire token then Client 
> needs to go through the complete OAuth flow - and also needs to get 
> the user consent. If RO can  downgrade the scope, then we restrict API 
> access by the client at RS end and its transparent to the client.
>

Downgrading the scope of tokens in the wild is hardly transparent to the 
client (stuff that it expects to work will suddenly start to fail, 
meaning that most clients will throw out the token and try to get a new 
one), and in a distributed system you've got to propagate that change to 
the RS. If you bake the scopes into the token itself (which many do) 
then you actually *can't* downgrade a single token, anyway.

  -- Justin

> Thanks & regards,
> -Prabath
>
>
>
>      -- Justin
>
>
>     On 02/06/2013 04:35 AM, Prabath Siriwardena wrote:
>>     I am sorry if this was already discussed in this list..
>>
>>     Looking at [1] it only talks about revoking the access token from
>>     the client.
>>
>>     How about the resource owner..?
>>
>>     There can be cases where resource owner needs to revoke an
>>     authorized access token from a given client. Or revoke an scope..
>>
>>     How are we going to address these requirements..? Thoughts
>>     appreciated...
>>
>>     [1] http://tools.ietf.org/html/draft-ietf-oauth-revocation-04
>>
>>     -- 
>>     Thanks & Regards,
>>     Prabath
>>
>>     Mobile : +94 71 809 6732 <tel:%2B94%2071%20809%206732>
>>
>>     http://blog.facilelogin.com
>>     http://RampartFAQ.com
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> -- 
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com

v2.23.0 | Report a Bug | By Email