Re: [OAUTH-WG] A question on token revocation.
Prabath Siriwardena <prabath@wso2.com> Wed, 06 February 2013 15:31 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFA5D21F87F9 for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:31:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.403
X-Spam-Level:
X-Spam-Status: No, score=-2.403 tagged_above=-999 required=5 tests=[AWL=0.573, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0CiiXUFP-PA for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:31:32 -0800 (PST)
Received: from mail-ea0-f180.google.com (mail-ea0-f180.google.com [209.85.215.180]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFE621F856F for <oauth@ietf.org>; Wed, 6 Feb 2013 07:31:31 -0800 (PST)
Received: by mail-ea0-f180.google.com with SMTP id c1so616469eaa.11 for <oauth@ietf.org>; Wed, 06 Feb 2013 07:31:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=xi9MVZtNIreYjjCkKamsk2gxd7cvYQ+aMRSS74ZkY4M=; b=VGpUHlAlQabsPCoI2d1wgShLWNQ4AbAtonFMxJyXgezbE/soFQOHX/zO7zN600+e+c 0GGDpAAoACvFU1oRwMiCGThO1xTfwB7BQ5vxlgIz+J5D59iRBZ//pqE0A6mRfOYydjeU TGgf0DO1DgpxPYFGafDm8WoHL+5ze1E5aRs+PbuGF2MXsyLkU9BxPiu5/EI8cX6/QwwO jvVf7I/V18s4VRlMHcQNjwDDTzJ7gFJcTsfrTne6ha8swT/GAtpeSJbO+4TgIdyBH3wP duyds+W+xkxzULS7x5HioOp0HC8Lt+PwrC0D+NMCKlaVu+apUEXvN3Qk0KJM2dWuxgkf 6ZvA==
MIME-Version: 1.0
X-Received: by 10.14.202.197 with SMTP id d45mr52218386eeo.1.1360164691145; Wed, 06 Feb 2013 07:31:31 -0800 (PST)
Received: by 10.223.175.134 with HTTP; Wed, 6 Feb 2013 07:31:31 -0800 (PST)
In-Reply-To: <5112746B.70403@mitre.org>
References: <CAJV9qO8UgLV6SdegZSk4KT3Qyb-M2KmPFPV9xDht_WjibeUWrg@mail.gmail.com> <51126D65.2090707@mitre.org> <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com> <5112746B.70403@mitre.org>
Date: Wed, 06 Feb 2013 21:01:31 +0530
Message-ID: <CAJV9qO-mz=K_fJHO8g8XH8DtUxFPvN8hRF7K=gn0etAAqeb0zg@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="047d7b343b064074a904d51005e6"
X-Gm-Message-State: ALoCoQlnDgbdriWEpRmKlLZneUzJtyggppNZrmXiX6IndZLGJSDuLVt6l7g0x4JL+NDv5n7f40oy
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A question on token revocation.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 15:31:33 -0000
On Wed, Feb 6, 2013 at 8:49 PM, Justin Richer <jricher@mitre.org> wrote: > > On 02/06/2013 10:13 AM, Prabath Siriwardena wrote: > > > > On Wed, Feb 6, 2013 at 8:19 PM, Justin Richer <jricher@mitre.org> wrote: > >> These are generally handled through a user interface where the RO is >> authenticated directly to the AS, and there's not much need for a >> "protocol" here, in practice. >> > > Why do you think leaving access token revocation by RO to a proprietary > API is a good practice ? IMO this an essential requirement in API security. > > I think it makes more sense in the same way that having a "proprietary" > UI/API for managing the user consent makes sense: unless you're doing a > fully dynamic end-to-end system like UMA, then there's not much value in > trying to squeeze disparate systems into the same mold, since they won't be > talking to each other anyway. > This is required in distributed setup for each API platform from different vendors to perform in an interop manner. > > And since you refer to it as an "API", what will the RO be using to call > this API? Is there a token management client that's separate from the OAuth > client? > I didn't get your question right... If you meant the how to invoke revocation end point, the the resource owner needs to know the consumer key (represents the OAuth Client app) & scope to revoke the access token for a given client. > > IMHO token revocation done my RO is more practical than token revocation > done by the Client. > > They're both valid but require different kinds of protocols and > considerations. This token revocation draft is meant to solve one problem, > and that doesn't mean it can or should solve other seemingly related > problems. > > If you would like to see the RO-initiated token revocation go through (not > grant revocation, mind you -- that's related, but different), then I would > suggest that you start specifying exactly how that works. I predict it will > be problematic in practice, though, as the RO often doesn't actually have > direct access to the token itself. > Resource owner needs to know the consumer key (represents the OAuth Client app) & scope to revoke the access token for a given client. > > > >> There are larger applications, like UMA, that have client and PR >> provisioning that would allow for this to be managed somewhat >> programmatically, but even in that case you're still generally doing token >> revocation by a "client" in some fashion. In UMA, though, several different >> pieces can play the role of a "client" at different parts of the process. >> >> Revoking a scope is a whole different mess. Generally, you'd want to just >> revoke an existing token and make a new authorization grant with lower >> access if you don't want that client getting that scope anymore. If you >> just want to downscope for a single transaction, you can already do that >> with either the refresh token or token chaining approaches, depending on >> where in the process you are. The latter of these are both client-focused, >> though, and the RO doesn't have a direct hand in it at this point. >> > > Why do you think it a mess. If you revoke the entire token then Client > needs to go through the complete OAuth flow - and also needs to get the > user consent. If RO can downgrade the scope, then we restrict API access > by the client at RS end and its transparent to the client. > > > Downgrading the scope of tokens in the wild is hardly transparent to the > client (stuff that it expects to work will suddenly start to fail, meaning > that most clients will throw out the token and try to get a new one), and > in a distributed system you've got to propagate that change to the RS. If > you bake the scopes into the token itself (which many do) then you actually > *can't* downgrade a single token, anyway. > Yes.. that is the expected behavior. I mean the process is transparent. Client will notice at runtime. Thanks & regards, -Prabath > > -- Justin > > > Thanks & regards, > -Prabath > > >> >> >> -- Justin >> >> >> On 02/06/2013 04:35 AM, Prabath Siriwardena wrote: >> >> I am sorry if this was already discussed in this list.. >> >> Looking at [1] it only talks about revoking the access token from the >> client. >> >> How about the resource owner..? >> >> There can be cases where resource owner needs to revoke an authorized >> access token from a given client. Or revoke an scope.. >> >> How are we going to address these requirements..? Thoughts >> appreciated... >> >> [1] http://tools.ietf.org/html/draft-ietf-oauth-revocation-04 >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 <%2B94%2071%20809%206732> >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> >> >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
- [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. Todd W Lainhart
- Re: [OAUTH-WG] A question on token revocation. Justin Richer
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. William Mills
- Re: [OAUTH-WG] A question on token revocation. Justin Richer
- Re: [OAUTH-WG] A question on token revocation. Todd W Lainhart
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. Todd W Lainhart
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. Torsten Lodderstedt
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. zhou.sujing
- Re: [OAUTH-WG] A question on token revocation. Prabath Siriwardena
- Re: [OAUTH-WG] A question on token revocation. zhou.sujing
- Re: [OAUTH-WG] A question on token revocation. Justin Richer
- Re: [OAUTH-WG] A question on token revocation. zhou.sujing