[OAUTH-WG] Question on RFC 7009 OAuth 2.0 Token Revocation
Brian Campbell <bcampbell@pingidentity.com> Thu, 12 December 2013 23:43 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDDE1AE00D for <oauth@ietfa.amsl.com>; Thu, 12 Dec 2013 15:43:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.577
X-Spam-Level:
X-Spam-Status: No, score=-3.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9C8YuazVV1u for <oauth@ietfa.amsl.com>; Thu, 12 Dec 2013 15:43:06 -0800 (PST)
Received: from na3sys009aog102.obsmtp.com (na3sys009aog102.obsmtp.com [74.125.149.69]) by ietfa.amsl.com (Postfix) with ESMTP id 1DAF01AE068 for <oauth@ietf.org>; Thu, 12 Dec 2013 15:43:05 -0800 (PST)
Received: from mail-ie0-f178.google.com ([209.85.223.178]) (using TLSv1) by na3sys009aob102.postini.com ([74.125.148.12]) with SMTP ID DSNKUqpKBJRHLIi7u7hu3WV/m4G3N2Ltb+BZ@postini.com; Thu, 12 Dec 2013 15:43:00 PST
Received: by mail-ie0-f178.google.com with SMTP id lx4so1802535iec.37 for <oauth@ietf.org>; Thu, 12 Dec 2013 15:42:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=y+Pn+2dYj1xwjzQeK48XQWHh0cTtR8nAISWNHwduNBU=; b=JItJvxRwDkMdsHTTudnulnYaz69KKOpfXXGXDaGUFnp9ki+R+2MEdWG3S4N+ollmmM OzYiCV1lnhSfOTTSt0OZsqDV4iAMkNHZ0UynCxbua2O0ckXnwpk09osvZsWoMom6KPvg wpJFvfjx41pZAqp6fu4bFfD4IgJUy87ftEp6UJenPUWXh2HjKaLFAJcOANvKbW5GVma4 sqkqtm3TzVIFjsmTD7IY2oAWSpdCIlmlujinkjR4VfIh/XOJJdhoqF/F7y+mQGfL74rg zFNYGCtYGH9RkLsS0Co3BTqOVYS0DIKLvfvTlPzyKqOApFVVPQaNFOFIWQ6sGfcQKpmO zRCA==
X-Gm-Message-State: ALoCoQkRQO7DLGyS5kkgx3euDj0xhvfrjyco1GYUnK3/e0qsV1M+QX0csg37l4/jzk29cP+xxjEcp6nRl4GtJ8m4KcOpR2Mc5Gp/k4KoRHT6y54/LEchYFv8LXKQ399Rbw61aG7r/koXsxoNTFH2KD5SDcipsd2C1w==
X-Received: by 10.50.79.138 with SMTP id j10mr91198igx.2.1386891779823; Thu, 12 Dec 2013 15:42:59 -0800 (PST)
X-Received: by 10.50.79.138 with SMTP id j10mr91194igx.2.1386891779727; Thu, 12 Dec 2013 15:42:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Thu, 12 Dec 2013 15:42:29 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 12 Dec 2013 16:42:29 -0700
Message-ID: <CA+k3eCTfa6iVEc9NUkRHppWovpGCSR0HjknX2vNmTw105NztfA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="089e0122ab74df833f04ed5ee7aa"
Subject: [OAUTH-WG] Question on RFC 7009 OAuth 2.0 Token Revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2013 23:43:08 -0000
The second paragraph of section 2 of RFC 7009 [1] says that the revocation endpoint must conform to the rules in section 3.1 of RFC 6749 (The OAuth 2.0 Authorization Framework) [2] but that section is about the *Authorization Endpoint*, which doesn't make much sense to me. The resource owner is involved with the authorization endpoint but not with the revocation endpoint. The authorization endpoint MUST accept GET and MAY accept POST while the revocation endpoint always accepts POST except for the JSONP support which is just a MAY for GET. There's also talk elsewhere in RFC 7009 about client authentication, which only happens at the token endpoint, not the authorization endpoint (note that the link in in 2.1 of RFC 7009 [3] that should go to 2.3 of RFC6749 actually links back to itself). Is the reference a mistake in RFC 7009? If not, could someone explain what the intent was there or what it really means? Thanks for any clarification! [1] http://tools.ietf.org/html/rfc7009#section-2 [2] http://tools.ietf.org/html/rfc6749#section-3.1 [3] http://tools.ietf.org/html/rfc7009#section-2.1
- [OAUTH-WG] Question on RFC 7009 OAuth 2.0 Token R… Brian Campbell
- Re: [OAUTH-WG] Question on RFC 7009 OAuth 2.0 Tok… Torsten Lodderstedt
- Re: [OAUTH-WG] Question on RFC 7009 OAuth 2.0 Tok… Brian Campbell
- Re: [OAUTH-WG] Question on RFC 7009 OAuth 2.0 Tok… Torsten Lodderstedt