Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries

"Bart Wiegmans" <> Mon, 09 January 2012 14:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE0E521F875E for <>; Mon, 9 Jan 2012 06:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.204
X-Spam-Status: No, score=-0.204 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id onVKzkTnlf1O for <>; Mon, 9 Jan 2012 06:23:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 282F421F874F for <>; Mon, 9 Jan 2012 06:23:03 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id CC31C9443A for <>; Mon, 9 Jan 2012 15:23:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:in-reply-to:references:from:to; s=selector1; bh=V1Gt yNCECjE78YVDqeE+x0xkras=; b=LCaxcwLT8VDN8o89Z3603kX/HTxt2h4KNZBL hgZuRvOSnX4jyIcAdXfqMJQmk2WoAdC1vNiPLVdi3666yZfauQuHy1t7EZE2njK0 xgnGL+8MQr1pILOikXAg6cfUuAX6lxSNehkMVqnY67hyZpbPTAGBsEzJTyW091xD LNu0WD8=
Received: from ( []) by (Postfix) with ESMTP id 57BA694436; Mon, 9 Jan 2012 15:23:01 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 09 Jan 2012 15:22:55 +0100
Message-ID: <AEDA1B65E9329448939CEFA895C129E203F72449@studentserver.studentennet.local>
In-Reply-To: <>
Thread-Topic: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
Thread-Index: AczO2Qcm574cmqAXTGCVUoDrpJiR5QAAAuew
References: <>
From: Bart Wiegmans <>
To: Andreas Åkre Solberg <>,
Subject: Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jan 2012 14:23:15 -0000


As far as I know, the implementation of API endpoints is outside of the specification of OAuth. 
But the specification of Bearer Tokens state that the endpoint must return the HTTP 403 (Access Denied) status code, along with a WWW-Authenticate: Bearer response header. That should be enough to determine token invalidity. 

With kind regards,
Bart Wiegmans

-----Oorspronkelijk bericht-----
Van: [] Namens Andreas Åkre Solberg
Verzonden: maandag 9 januari 2012 9:41
Onderwerp: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries


I'm trying to do an OAuth 2.0 library, and got a question:

I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints.

If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary.

I'm sorry if the answer is obvious. 

Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers.