Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
Paul Madsen <paul.madsen@gmail.com> Mon, 11 June 2012 22:52 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC46A21F8449 for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 15:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.202
X-Spam-Level:
X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d37f6fnXR1Zb for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 15:52:39 -0700 (PDT)
Received: from mail-qa0-f49.google.com (mail-qa0-f49.google.com [209.85.216.49]) by ietfa.amsl.com (Postfix) with ESMTP id 964B821F845F for <oauth@ietf.org>; Mon, 11 Jun 2012 15:52:36 -0700 (PDT)
Received: by qabj40 with SMTP id j40so2900646qab.15 for <oauth@ietf.org>; Mon, 11 Jun 2012 15:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=Wr83G65e4axjjbcjJnLJkWlVxQE9TMvNSo3OLsNTdMs=; b=ULI45QPILsMRI9fv568BWjKJinWkrJHIf4Qvg1WdEiRZg/5bjGZEni618UUt/zAB6Y zsmATANlZt9dUHY4DWEBjS+zqN83FjHMqUC33VqLyWifc2LU42kmjHVwU+1eX8AfCJ7y YBp3aj73mKUrgzBKicYXZpL5IDMVybRivQbfIhd2BYB+DMLydgAUkWRukotn1wigjiuJ F2RYNjFY6mdJz+5qvKcULnMkG2oyUrHJHz5hp3earfI0p7SWnFI1f8iIvo2t5mKsR/An gOxjVABhZD/zvgf9/lyH/emIwbckFIEybKWA5Btrx67iQoqPNai60qwOU5uQ8hAAYVxc FMkQ==
Received: by 10.224.116.135 with SMTP id m7mr6901143qaq.9.1339455156062; Mon, 11 Jun 2012 15:52:36 -0700 (PDT)
Received: from [10.118.163.227] ([184.151.114.99]) by mx.google.com with ESMTPS id hj10sm11692579qab.4.2012.06.11.15.52.34 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 11 Jun 2012 15:52:35 -0700 (PDT)
References: <CAA=QE7P_Mmak9_OvqQ4V33e-UHP-n_8oPNiHiYsx=P4syeDz-Q@mail.gmail.com> <4FD65080.9040305@gmail.com> <4FD65ED8.6000507@aol.com>
In-Reply-To: <4FD65ED8.6000507@aol.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-365C97AF-7C95-4391-A77C-D7108DAE804D"
Message-Id: <EA05C2C5-4472-4EC8-92EC-92700BBD25E8@gmail.com>
X-Mailer: iPhone Mail (9A406)
From: Paul Madsen <paul.madsen@gmail.com>
Date: Mon, 11 Jun 2012 18:52:32 -0400
To: George Fletcher <gffletch@aol.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 22:52:40 -0000
Hi George, perhaps it depends on the reason for the refresh token being revoked. If because the user removed their consent then yes I agree that *all* tokens should be revoked Sent from my iPhone On 2012-06-11, at 5:10 PM, George Fletcher <gffletch@aol.com> wrote: > Paul, > > I think I came to a different conclusion... > > If I use the Resource Owner Password Credential flow and get back both an access_token and a refresh_token then I would assume that the issued access_token is tied in some way to the refresh_token. If the refresh_token is revoked, then my expectation is that the simultaneous issued access_token would also be revoked. > > I read the spec as having a typo that should read... > If the processed token is a refresh token and the authorization > server supports the revocation of access tokens, then the > authorization server SHOULD also invalidate all access tokens issued > *based on* that refresh token. > Or maybe better... "invalidate all access tokens associated/tied-to that refresh token". > > Now in the case that the client is retrieving a new refresh_token and access_token, then the new ones should be valid and the old ones potentially revoked. > > Thanks, > George > > On 6/11/12 4:09 PM, Paul Madsen wrote: >> >> Hi Doug, my interpretation is that 'for that refresh token' means those access tokens issued in exchange for that refresh token. >> >> Consequently, for the cases you cite below, the access tokens at the same time as a given refresh token need not be invalidated when that refresh token is 'processed' >> >> I assume the justification for the rule is that an access token issued in exchange for a given refresh token may have been compromised if the refresh token had been. But there is no such causal relationship between an access token & refresh token issued at same time >> >> paul >> >> On 6/11/12 3:31 PM, doug foiles wrote: >>> >>> Hi all, >>> >>> I was hoping to get some clarity on a statement in section 2.0 of draft-ietf-oauth-revocation-00. >>> >>> If the processed token is a refresh token and the authorization >>> server supports the revocation of access tokens, then the >>> authorization server SHOULD also invalidate all access tokens issued >>> for that refresh token. >>> >>> My question is on the statement "access tokens issued for that refresh token". What does it mean to have an Access Token "issued" for a Refresh Token? >>> >>> This specific case is clear to me. I am refreshing an Access Token where I keep the same Refresh Token that I used to generate the new Access Token. I see the new Access Token was issued for that Refresh Token. >>> However these two cases are a bit muddy to me. Let’s say I am using the "Resource Owner Password Credentials Grant" where the Access Token Response returns both an Access Token and Refresh Token. Would the Access Token have been issued for that Refresh Token? And let’s say I am refreshing an Access Token but choose to create a new Refresh Token and immediately revoke the original Refresh Token. Would the newly created Access Token have been issued for the original Refresh Token or the new one that was created. >>> If a client would revoke a Refresh Token … I would like the Access Tokens in all of the above cases to be automatically revoked as well. I just want to make sure I understand the model. Thanks. >>> Doug Foiles >>> Intuit >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Clarification in Section 2.0 of draft-… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… George Fletcher
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Justin Richer
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Torsten Lodderstedt
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles