Re: [OAUTH-WG] [Technical Errata Reported] RFC7662 (7607)
Warren Parad <wparad@rhosys.ch> Mon, 21 August 2023 10:47 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 858BEC151530 for <oauth@ietfa.amsl.com>; Mon, 21 Aug 2023 03:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qvTZ-rS-VYK4 for <oauth@ietfa.amsl.com>; Mon, 21 Aug 2023 03:47:26 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47E03C151551 for <oauth@ietf.org>; Mon, 21 Aug 2023 03:47:26 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-9a18880d312so40409366b.1 for <oauth@ietf.org>; Mon, 21 Aug 2023 03:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; t=1692614844; x=1693219644; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EQuu6+u+dovDk06szHrBhN8Z9uvQLPqjbetF4clPans=; b=iiqgZ2ptH5KMxRTQacaK9DIR7BzH+SI1k7OOoQOMyxc66kijWCvRLflCC61PaPiohl qr0qhhvDCTnneNTseuxJUIYLeiET7ezCI5iALsXr4iiePKO/ICV913pYvdYCj3wscAHJ OWGxT9DBlZWGRSjCyk75wAxcc8uwAnopfidzFn7e2Su72cfnzyEsRVDuHmUYntp24RA+ WTKC8+0vx6H/NR4dGAYDq4X5F5iFqWm12RHe/kHWyhE9SYS+jAXTmKVOJDhQWhbfStr2 r+VWnvY4M3EAQseJLIFZtREA3CcMumaA8tuU0kYOFk11+BWQGr25BP9loe8Tc8LItFNI NVhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692614844; x=1693219644; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EQuu6+u+dovDk06szHrBhN8Z9uvQLPqjbetF4clPans=; b=aa8/US8/59pjPH8WqsecTiG28wS1y73ry6pVYP+ZLJxDFFC1l/v4mZ/ZTJwnCuVf1X etL3oqvAx2uR9BEpWq1sMLVqezYyvFMn7u2fzRjc1ckZyhQV65o8ZeyaHCLIg4XIcD2u UAF9qa48msDWED/V9E7RlZMYPXSdgcY6ODHZB7wyUKIMO5utVO9NBDO8dAeMvJRIuOa1 vsGNzpZIY/waO3JvMsPiNPCPVRxw9HIrNqi9qIlmYYN0gGOD5bNRtTYjGOrl7WmuzFvk oZZ8OH36ot+lTEJEqN3IsOX7off5HaZ++0mHwcOqM11+wBaGXkUkHDhZvT2lGrKt4UQU tQRQ==
X-Gm-Message-State: AOJu0Yzb0kTkKMWhV9VWNxbs08QETpARtLjOHFMeCvrh9cwZzVyrA8Bj 5+8clfcPodxn6gLcBuqdGDp+pZwUA5JnCcCVuomV
X-Google-Smtp-Source: AGHT+IFV72Dm3MjA34fQt6mWAWn5+lKUf6cpwJMYAQt/u92xX92rBmR8oDkvOQiltyD8s8zf/PbA3I5UTlP4OMQg6wM=
X-Received: by 2002:a17:906:519b:b0:993:eed1:8f7 with SMTP id y27-20020a170906519b00b00993eed108f7mr4975835ejk.3.1692614844151; Mon, 21 Aug 2023 03:47:24 -0700 (PDT)
MIME-Version: 1.0
References: <20230817184251.612BB88BC9@rfcpa.amsl.com> <DM6PR01MB4444552934A1081B162AD281BD1BA@DM6PR01MB4444.prod.exchangelabs.com> <002f01d9d2ed$0ca45a40$25ed0ec0$@neusoft.edu.cn> <A680C4D3-B947-4471-A5EC-CCC3D7D0C684@mit.edu>
In-Reply-To: <A680C4D3-B947-4471-A5EC-CCC3D7D0C684@mit.edu>
From: Warren Parad <wparad@rhosys.ch>
Date: Mon, 21 Aug 2023 12:47:13 +0200
Message-ID: <CAJot-L0LeQhPqiKqRAw50KxW14ze2_0hCTFMvCTpxcBdffmD4g@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Fulong Sun <sunfulong@neusoft.edu.cn>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "oauth@ietf.org" <oauth@ietf.org>, "ietf@justin.richer.org" <ietf@justin.richer.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000870c2006036c9a5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KTjsrZmN3T7pNUtDaK7RhwYsqAs>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7662 (7607)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2023 10:47:30 -0000
Arguably the client can't revoke the token. It can request to revoke the token and then the decision of whether it is revoked is only on the AS. A client considering a token revoked has no merit on the value of the *active *flag. For full context, this is the section: https://datatracker.ietf.org/doc/html/rfc7662#section-2.2 And the relevant text: The server responds with a JSON object [RFC7159 <https://datatracker.ietf.org/doc/html/rfc7159>] in "application/ json" format with the following top-level members. active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that *a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity* (e.g., after its issuance time and before its expiration time). See Section 4 <https://datatracker.ietf.org/doc/html/rfc7662#section-4> for information on implementation of such checks. On Mon, Aug 21, 2023 at 12:31 PM Justin Richer <jricher@mit.edu> wrote: > I don’t think it’s necessary to enumerate all of the possible parties that > could have had a hand in revoking the token — it have also been revoked by > the AS through some backend process or through administrative action. If a > token is revoked, it’s revoked — and the RS doesn’t generally care why or > who did it, just that the token is no good. It doesn’t hurt to list the > client here, but it’s not necessary. As such, I still say the errata should > be rejected. > > — Justin > > On Aug 19, 2023, at 6:32 PM, Fulong Sun <sunfulong@neusoft.edu.cn> wrote: > > Hi Justin, > > Yes, the resource owner can revoke, but the client also can revoke the > token, why do not write both of them? > > 孙福龙 > Fulong Sun > > 东软教育科技集团・IDC > IDC of Neusoft Education Technology Group > > Office: +86 (411) 82379410 -9 / 6602 > Mobile: +86 13478953390 > E-mail: sunfulong@neusoft.edu.cn > Address: Room 305, Building A5, No. 8, Software Park Road, Dalian, > Liaoning, China > > *From:* Justin Richer <jricher@mit.edu> > *Sent:* 2023年8月18日 20:54 > *To:* RFC Errata System <rfc-editor@rfc-editor.org>; > ietf@justin.richer.org; rdd@cert.org; paul.wouters@aiven.io; > hannes.tschofenig@arm.com; rifaat.s.ietf@gmail.com > *Cc:* sunfulong@neusoft.edu.cn; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] [Technical Errata Reported] RFC7662 (7607) > > The resource owner can revoke the token out of band, this errata should be > rejected. > > - Justin > ------------------------------ > *From:* OAuth <oauth-bounces@ietf.org> on behalf of RFC Errata System < > rfc-editor@rfc-editor.org> > *Sent:* Thursday, August 17, 2023 2:42 PM > *To:* ietf@justin.richer.org <ietf@justin.richer.org>; rdd@cert.org < > rdd@cert.org>; paul.wouters@aiven.io<paul.wouters@aiven.io>; > hannes.tschofenig@arm.com <hannes.tschofenig@arm.com>; > rifaat.s.ietf@gmail.com<rifaat.s.ietf@gmail.com> > *Cc:* sunfulong@neusoft.edu.cn <sunfulong@neusoft.edu.cn>; oauth@ietf.org > <oauth@ietf.org>; rfc-editor@rfc-editor.org<rfc-editor@rfc-editor.org> > *Subject:* [OAUTH-WG] [Technical Errata Reported] RFC7662 (7607) > > The following errata report has been submitted for RFC7662, > "OAuth 2.0 Token Introspection". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7607 > > -------------------------------------- > Type: Technical > Reported by: Fulong Sun <sunfulong@neusoft.edu.cn> > > Section: 2.2 > > Original Text > ------------- > a given token has been issued by this authorization server, has not been > revoked by the resource owner, and is within its given time window of > validity > > Corrected Text > -------------- > a given token has been issued by this authorization server, has not been > revoked by the resource owner or client, and is within its given time > window of validity > > Notes > ----- > RFC 7009 defined a given token can be revoke by client, so should write > client here. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7662 (draft-ietf-oauth-introspection-11) > -------------------------------------- > Title : OAuth 2.0 Token Introspection > Publication Date : October 2015 > Author(s) : J. Richer, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] [Technical Errata Reported] RFC7662 (7… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC766… Justin Richer
- Re: [OAUTH-WG] [Technical Errata Reported] RFC766… Justin Richer
- Re: [OAUTH-WG] [Technical Errata Reported] RFC766… Warren Parad