[OAUTH-WG] Device Code expiration and syntax

Justin Richer <jricher@mit.edu> Sat, 11 March 2017 19:10 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 80983129567 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3yuM1-wjt43w for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:10:08 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A084129561 for <oauth@ietf.org>; Sat, 11 Mar 2017 11:10:08 -0800 (PST)
X-AuditID: 1209190d-a5fff70000001515-7e-58c44b8ed90e
Received: from mailhub-auth-3.mit.edu ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 46.BB.05397.E8B44C85; Sat, 11 Mar 2017 14:10:07 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu []) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v2BJA63G027372 for <oauth@ietf.org>; Sat, 11 Mar 2017 14:10:06 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2BJA4fv011574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Sat, 11 Mar 2017 14:10:05 -0500
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu>
Date: Sat, 11 Mar 2017 14:10:04 -0500
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLIsWRmVeSWpSXmKPExsUixCmqrdvvfSTC4Px9NouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr4/Kx0ywFmzkrDs8QaGA8y97FyMkhIWAice70FyCbi0NIoI1J 4trs82wQzjFGie7pHxlBqoQEvjFJXN5dCWKzCahKTF/TwgRiMwuoS/yZd4kZwtaWWLbwNZjN K6AvMfvMJRYQW1hAS2LP17esEHEriR/vl7OB2CxAc25O+A42XwRozprzP5kgLpKVePtrCfME Rt5ZSFbMQrJiFpIVCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuka6eVmluilppRuYgSHkiTv DsZ/d70OMQpwMCrx8Da4HIkQYk0sK67MPcQoycGkJMr7+8uhCCG+pPyUyozE4oz4otKc1OJD jBIczEoivKccgcp5UxIrq1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQledi+g RsGi1PTUirTMnBKENBMHJ8hwHqDhviA1vMUFibnFmekQ+VOMilLivFc8gRICIImM0jy4XlCs J7w9bPqKURzoFWFeOZB2HmCagOt+BTSYCWjwNL6DIINLEhFSUg2Mpzn+nHgSLOu3fZHg9R2f b95+9lr+oVvNq6UBt08e/tVkId2XnLeNp3DJp2On3NjOPneyDuKy+xpz+/OMO0ezrTcWhiTk vmqbNktn5WIF5e/7ru8Qf1IrY6bT+Ptbiua03/us1OT+RhtWbD+xlHl9QJrVnY0aYU/9ciM/ 7jsf4+gT0/Hj/wn95UosxRmJhlrMRcWJAF5lYSbQAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jv61gI2UacF9Ny0h-E191DF2jUA>
Subject: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 19:10:09 -0000

We’re implementing support for the device code draft and had a question on what the “expiration” of the code refers to. Obviously, once the code has expired it can no longer be used. But when should the expiration count from? Say I have a code that’s good for 60 seconds, do I start the timer as soon as I issue the code to the client? Do I reset the timer when the user approves the client, to another 60 seconds? Or does that 60 seconds count for the entire transaction?

My read on it is the latter-- one timeout for the entire lifetime of the code regardless of its current state, with no resets. But I didn’t find good guidance in the document itself.

Secondly, I had a question about the “response_type” parameter to the device endpoint. This parameter is required and it has a single, required value, with no registry or other possibility of extension. What’s the point? If it’s for “parallelism”, I’ll note that this is *not* the authorization endpoint (as the user is not present) and such constraints need not apply here.

 — Justin