Re: [OAUTH-WG] Token expiration
Marcel Molina <marcel@twitter.com> Mon, 21 September 2009 22:54 UTC
Return-Path: <marcel@twitter.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9C0128C1E1 for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 15:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yauOEwAu04Ab for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 15:54:23 -0700 (PDT)
Received: from mail-pz0-f180.google.com (mail-pz0-f180.google.com [209.85.222.180]) by core3.amsl.com (Postfix) with ESMTP id 937183A6403 for <oauth@ietf.org>; Mon, 21 Sep 2009 15:53:44 -0700 (PDT)
Received: by pzk10 with SMTP id 10so2567650pzk.19 for <oauth@ietf.org>; Mon, 21 Sep 2009 15:54:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.5.39 with SMTP id 39mr12966wfe.81.1253573684616; Mon, 21 Sep 2009 15:54:44 -0700 (PDT)
In-Reply-To: <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D584A3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <6c0fd2bc0909211441o3eacc564t2917cf5b94f99800@mail.gmail.com> <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com>
Date: Mon, 21 Sep 2009 15:54:44 -0700
Message-ID: <b0618f720909211554k32c54af6ne439cd4f2694ad43@mail.gmail.com>
From: Marcel Molina <marcel@twitter.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] Token expiration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 22:56:30 -0000
As an example of what other APIs do, Amazon's S3 supports signed urls of protected objects. The signed url is given a time to live after which it's invalidated. It's specified in terms of number of seconds from the time the url was generated. That's dependent on the clock of the origin server I assume. Unless there is considerable drift between clocks and a very short time to live on the token, this shouldn't be a problem 99%+ of the time I'd assume... On Mon, Sep 21, 2009 at 3:22 PM, Chris Messina <chris.messina@gmail.com> wrote: > Seems like it'd be worth documenting existing approaches to this... what do > other similar APIs do? > I know I harp on this approach to technology development, but that was how > OAuth was developed (for better or worse): by looking at existing practices, > extracting convention, and codifying ]ideally] best practices. > If this is common and working elsewhere, can't we just imitate it? > Chris > > On Mon, Sep 21, 2009 at 2:41 PM, Hubert Le Van Gong <hubertlvg@gmail.com> > wrote: >> >> It is obviously useful to have. In fact it's so useful I'll bet most >> token format >> used do include one. Having it outside the token becomes redundant then >> but >> maybe it's not that bad. >> >> BTW why not using dateTime (http://www.w3.org/TR/xmlschema-2/#dateTime)? >> >> Cheers, >> Hubert >> >> >> On Mon, Sep 21, 2009 at 11:25 PM, Eran Hammer-Lahav <eran@hueniverse.com> >> wrote: >> > Should the core spec support the ability to indicate the duration of >> > token credentials? This would be an addition to the web delegation draft [1] >> > in section 6 (Token Credentials) in the form of a new response parameter, >> > something like: >> > >> > oauth_token_duration >> > The token duration specified in second from the time of the HTTP >> > response timestamp. >> > >> > This has been consistently at the top of missing core funcationality. >> > >> > >> > EHL >> > >> > [1] http://tools.ietf.org/html/draft-ietf-oauth-web-delegation-01 >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > -- > Chris Messina > Open Web Advocate > > Personal: http://factoryjoe.com > Follow me on Twitter: http://twitter.com/chrismessina > > Citizen Agency: http://citizenagency.com > Diso Project: http://diso-project.org > OpenID Foundation: http://openid.net > > This email is: [ ] shareable [X] ask first [ ] private > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Marcel Molina Twitter Platform Team http://twitter.com/noradio
- [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Chris Messina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Marcel Molina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Chris Messina