Re: [OAUTH-WG] Section 10.3 client advice inapplicable?
Eran Hammer <eran@hueniverse.com> Thu, 08 March 2012 02:12 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2B3121E8054 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 18:12:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.533
X-Spam-Level:
X-Spam-Status: No, score=-2.533 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JUVzsiwtlow for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 18:12:53 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id CA9D921E8045 for <oauth@ietf.org>; Wed, 7 Mar 2012 18:12:53 -0800 (PST)
Received: (qmail 10098 invoked from network); 8 Mar 2012 00:20:46 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 8 Mar 2012 00:20:46 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 7 Mar 2012 17:20:33 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Andrew Arnott <andrewarnott@gmail.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Wed, 07 Mar 2012 17:20:26 -0700
Thread-Topic: [OAUTH-WG] Section 10.3 client advice inapplicable?
Thread-Index: AczvGGcPVtoM77e8RR2IhTr1/EDQsANqNVVg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFCD407D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAE358b7joJKo5aK9PHmno_8Y6myQjjbafSRY_+wQyJH2P14NoA@mail.gmail.com>
In-Reply-To: <CAE358b7joJKo5aK9PHmno_8Y6myQjjbafSRY_+wQyJH2P14NoA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407DP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Section 10.3 client advice inapplicable?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 02:12:54 -0000
Removed 'and lifetime'. EH From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Andrew Arnott Sent: Sunday, February 19, 2012 7:09 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] Section 10.3 client advice inapplicable? >From draft 23, section 10.3: The client SHOULD request access tokens with the minimal scope and lifetime necessary. The authorization server SHOULD take the client identity into account when choosing how to honor the requested scope and lifetime, and MAY issue an access token with a less rights than requested. I can't find the part in the spec where the client can request access tokens in such a way as to influence the lifetime. Why is the client then being advised in the above section to minimize the lifetime of the access tokens it asks for? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
- [OAUTH-WG] Section 10.3 client advice inapplicabl… Andrew Arnott
- Re: [OAUTH-WG] Section 10.3 client advice inappli… John Bradley
- Re: [OAUTH-WG] Section 10.3 client advice inappli… Eran Hammer