[OAUTH-WG] exp claim ... was RE: expires_in
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 18 December 2018 13:48 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F07B2126DBF for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 05:48:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MFUvJvs9oOT for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 05:48:51 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150054.outbound.protection.outlook.com [40.107.15.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A787E1200B3 for <oauth@ietf.org>; Tue, 18 Dec 2018 05:48:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DvF4PGn6zhfFKWns7NG/JivTLju+QgKN6d/6LUfVYbs=; b=XhizKsKr//0AE8K+/82GXDxHn5e4QfJnP7r7sFF+xz5QvMwLVlj20bh0FM829nH+5cmcMa1y7UOnONe+i81lyOEmovj46pI/s+kPctwfA0bTvpLTRfUA2/fcrLSfzcN/7uG9gbcPGgKEI0YaAZTshVWFrI2bvcG7HzJ1PwX5iEo=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1520.eurprd08.prod.outlook.com (10.167.210.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Tue, 18 Dec 2018 13:48:46 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.023; Tue, 18 Dec 2018 13:48:46 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: David Waite <david@alkaline-solutions.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: exp claim ... was RE: [OAUTH-WG] expires_in
Thread-Index: AdSW2GGjAFttJtVJQmy5OvrC/4ISFw==
Date: Tue, 18 Dec 2018 13:48:46 +0000
Message-ID: <VI1PR0801MB2112201BE59C911D250F3148FABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.114.221]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1520; 6:wrZ6TiWi86d9olj0YJCFTBLZvL3UHQDfH/NtNOWbbQ6rRyOPJ81j9ziGEsID5tNuqTW6NLQACuxMGE+ZoMMg9QBCrzbiQtvbRtHBMUcNx9tNTPAlngOKW9uOjyfWJPfmTW13CkGx+6h/1YbwHZoMUNIb9kwMl5MMrk4GypgEw6W67tCsz0dErQGxiZvfsWCpQWEQOUEgd5/5io0H2QmNfqkmFlD7CAiaOS+3oZW/U7oOiOdRoSPPt0IGeb7rhVlpB7kzV34Nebiw+okjB7V7bUfHTGwqB/C4VQfcveDRAy30njmaTeWqabG8at+medaQF0/IRJHPfhY0q9a7b4w7JG8xlCPsQEtBhey+Jrv6kB+SdYHCqiAabVtK11QfR85IzeFAw0djsftkAY4eAqXROsF7Qk7RKcaEIbZH+OPZx52TqDqKfutFaiOWsCcEA3yeeARbz7mufb3KK+BdvF6oDQ==; 5:+C2gDMcOIfQUUcUHeu9TzxciTU65TuAlhc92dsUqBDx/kVtg1kctq4cnpwSxbLmzH82UnJb/4dTsFLvHUjpn/o9p4PDUHMn4iYSncv2KUqpgexNoUJBISioB3xB/HTkGKu9SM5VmNk2oOXdf5PL5eFNTuPiW45fgFW458Aw9K34=; 7:Hs57fKEuqC7P900D4zVhbNeJALPQK5tzyC/1feUD54E4ooWcRKm81PrWgq1KPcxiUljzj6hda6So6sPyF5SG/S1XWY/iECwcz7lgw+kLESC2pRcADG31MPjlg23BG9XySQpc0QbNR+H25PjxBazlLA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0ebff3c4-426c-4713-b6a4-08d664ef885e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1520;
x-ms-traffictypediagnostic: VI1PR0801MB1520:
x-microsoft-antispam-prvs: <VI1PR0801MB152086C5E0F6B8110748DB15FABD0@VI1PR0801MB1520.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231475)(944501520)(52105112)(3002001)(10201501046)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1520; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1520;
x-forefront-prvs: 08902E536D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(136003)(376002)(366004)(396003)(40434004)(199004)(53754006)(189003)(13464003)(6506007)(5024004)(14444005)(256004)(68736007)(26005)(966005)(53546011)(5660300001)(102836004)(97736004)(8676002)(2906002)(81156014)(6116002)(3846002)(33656002)(486006)(6436002)(7696005)(14454004)(476003)(81166006)(71190400001)(71200400001)(66066001)(316002)(8936002)(6306002)(9686003)(55016002)(25786009)(4326008)(53936002)(86362001)(478600001)(106356001)(72206003)(105586002)(7736002)(305945005)(6916009)(99286004)(74316002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1520; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: AvI1/JcFDMzUbKZTps03lETte9igeYTpUwc+ZhTNEHx9gV8/9P6Uxosu3Nq7rYG2X8T+UEQeXqCehjKbQiZzH1bvDXfZbV7P30qG5/p6n5r8C4daeGAqE52qH0UzARmPLtxhZc+g9Tp8i74IqcrVNYKnWqC9O/TMn8NKncMdhcxC6EQzYcL7a+gSZmM+rCWprlDs55SxC8k81fdh4ZbaGqZE6EZPy7bUQIz5uDqXQU17rWkWgCSnDOV//D+TOyUmU2F5EhFYOWIhogvktPKuBvJ0dW9dSYlhaskgqYCGKOLm1nHN7zTfzrpHgZuhVMpz
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ebff3c4-426c-4713-b6a4-08d664ef885e
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2018 13:48:46.6279 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1520
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/d-q9UYvQjRslJhPE-Y59VsJrKUo>
Subject: [OAUTH-WG] exp claim ... was RE: expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 13:48:55 -0000
Hi David, You just caught an error. Thanks. There is the expires_in parameter sent from the AS to the client and the exp claim in the access token created by the AS for consumption by the RS. I meant to write about the exp claim but I instead looked up the expires_in. The value in the expires_in parameter is also in my opinion advisory. The exp parameter shouldn't be. Interestingly RFC 6819 nor draft-ietf-oauth-security-topics-10 only talk about having a mandatory exp claim in the access token. In OpenID Connect exp is a mandatory claim. Ciao Hannes -----Original Message----- From: David Waite <david@alkaline-solutions.com> Sent: Dienstag, 18. Dezember 2018 12:59 To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] expires_in My understanding was that this parameter was advisory to the client - it neither mandated the client discard the token after the expires_in time, nor has a requirement that the token is no longer honored by protected resouces at that point in time (vs earlier or later). Is there meaning that others assign to this value? The only use I’ve found is to schedule proactive refreshes to hopefully reduce latency by reducing the need to refresh in-line with user requests. -DW > On Dec 18, 2018, at 3:55 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > > Hi all, > > In a recent email conversation on the IETF ACE mailing list Ludwig Seitz suggested that the expires_in claim in an access token should actually be mandatory. > Intuitively it feels like access tokens shouldn't have an unrestricted lifetime. I am curious whether recommendations would be useful here. > > RFC 6819 talks about the expires_in claim and says: > > 3.1.2. Limited Access Token Lifetime > > The protocol parameter "expires_in" allows an authorization server > (based on its policies or on behalf of the end user) to limit the > lifetime of an access token and to pass this information to the > client. This mechanism can be used to issue short-lived tokens to > OAuth clients that the authorization server deems less secure, or > where sending tokens over non-secure channels. > > draft-ietf-oauth-security-topics-10 only talks about refresh token expiry. > > In OpenID Connect the expires_in claim is also optional. > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] exp claim ... was RE: expires_in Hannes Tschofenig
- Re: [OAUTH-WG] exp claim ... was RE: expires_in Aaron Parecki
- Re: [OAUTH-WG] exp claim ... was RE: expires_in Ludwig Seitz