IETF Logo Mail Archive

Re: [OAUTH-WG] A question on token revocation.

Prabath Siriwardena <prabath@wso2.com> Wed, 06 February 2013 15:34 UTC

Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4541A21F8893 for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Level:
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[AWL=0.509, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5vuzsJMgswm for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 07:34:32 -0800 (PST)
Received: from mail-ea0-f181.google.com (mail-ea0-f181.google.com [209.85.215.181]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3C221F897A for <oauth@ietf.org>; Wed, 6 Feb 2013 07:34:31 -0800 (PST)
Received: by mail-ea0-f181.google.com with SMTP id i13so671045eaa.26 for <oauth@ietf.org>; Wed, 06 Feb 2013 07:34:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=7IJA+kHYChNu8Rdxky5NCl7itvmL2VOsZhJgEtoPqhg=; b=Ke7bNyUjZxzIOQqyyOzA0IMhFX2ARS+OVgAA3mq6bPE8gRuJyVeHo3R6tEOvVzpHvs ugFHKdyRHD8GODeGz7Zg2j4bUSIfvH6lFUONczhhinx6o1qLc5c/q4tUPhFcE4FGfvl4 4JVXoGeIlz55O76qDOzz5ZRsA4h9eGLLhc5M0JpCsTK0cYyDPuZM3ghOx+Alf7U+xcu6 Bn4aBXeQ95RMFo6T7N75v3OjUnq3XzF3OPXu2ONm5UbPQg4qjPtAmW3Vq8rUxF8/1R6g vEYqGFLdEvuU4PaSBio6di61p6Gsz6yVcp7odq+5OX0bOd2cu8i/fnnGchav3SBgpko8 lDkw==
MIME-Version: 1.0
X-Received: by 10.14.211.137 with SMTP id w9mr97097235eeo.39.1360164870339; Wed, 06 Feb 2013 07:34:30 -0800 (PST)
Received: by 10.223.175.134 with HTTP; Wed, 6 Feb 2013 07:34:30 -0800 (PST)
In-Reply-To: <OFE5AD1D75.31752E83-ON85257B0A.00552A3B-85257B0A.0055358A@us.ibm.com>
References: <CAJV9qO8UgLV6SdegZSk4KT3Qyb-M2KmPFPV9xDht_WjibeUWrg@mail.gmail.com> <51126D65.2090707@mitre.org> <CAJV9qO-ZNVcbzNvb---CmXv+vo0jZHKQaDon8OqrPJCfAXKTRQ@mail.gmail.com> <5112746B.70403@mitre.org> <OFE5AD1D75.31752E83-ON85257B0A.00552A3B-85257B0A.0055358A@us.ibm.com>
Date: Wed, 06 Feb 2013 21:04:30 +0530
Message-ID: <CAJV9qO84D6ZxBHS_KG9t2LsC9V-nEdugS50QqhrT=9qU=kOH-A@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Todd W Lainhart <lainhart@us.ibm.com>
Content-Type: multipart/alternative; boundary="047d7b624ab8eebcf604d5100f36"
X-Gm-Message-State: ALoCoQkAhqVAchA/nNm6EbHUFE3mMxBfqAjdyTL4CPFWU4gUcfamA/QfFB54VXcIoS/wBbBelZaw
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A question on token revocation.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 15:34:33 -0000

Sure that can done.. Do you see any issues having discuss that under the
same spec.. The purpose of both are the same. Only the actor differs.

Thanks & regards,
-Prabath

On Wed, Feb 6, 2013 at 9:00 PM, Todd W Lainhart <lainhart@us.ibm.com> wrote:

> > If you would like to see the RO-initiated token revocation go through
> (not grant revocation, mind you -- that's related, but different), then I
> would suggest that you start specifying exactly how that works.
>
> +1
>
>  *
>
>
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250**
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart@us.ibm.com*
>
>
>
>
> From:        Justin Richer <jricher@mitre.org>
> To:        Prabath Siriwardena <prabath@wso2.com>,
> Cc:        "oauth@ietf.org WG" <oauth@ietf.org>
> Date:        02/06/2013 10:21 AM
> Subject:        Re: [OAUTH-WG] A question on token revocation.
> Sent by:        oauth-bounces@ietf.org
> ------------------------------
>
>
>
>
> On 02/06/2013 10:13 AM, Prabath Siriwardena wrote:
>
>
> On Wed, Feb 6, 2013 at 8:19 PM, Justin Richer <*jricher@mitre.org*<jricher@mitre.org>>
> wrote:
> These are generally handled through a user interface where the RO is
> authenticated directly to the AS, and there's not much need for a
> "protocol" here, in practice.
>
> Why do you think leaving access token revocation by RO to a proprietary
> API is a good practice ? IMO this an essential requirement in API security.
> I think it makes more sense in the same way that having a "proprietary"
> UI/API for managing the user consent makes sense: unless you're doing a
> fully dynamic end-to-end system like UMA, then there's not much value in
> trying to squeeze disparate systems into the same mold, since they won't be
> talking to each other anyway.
>
> And since you refer to it as an "API", what will the RO be using to call
> this API? Is there a token management client that's separate from the OAuth
> client?
>
>
> IMHO token revocation done my RO is more practical than token revocation
> done by the Client.
> They're both valid but require different kinds of protocols and
> considerations. This token revocation draft is meant to solve one problem,
> and that doesn't mean it can or should solve other seemingly related
> problems.
>
> If you would like to see the RO-initiated token revocation go through (not
> grant revocation, mind you -- that's related, but different), then I would
> suggest that you start specifying exactly how that works. I predict it will
> be problematic in practice, though, as the RO often doesn't actually have
> direct access to the token itself.
>
>
> There are larger applications, like UMA, that have client and PR
> provisioning that would allow for this to be managed somewhat
> programmatically, but even in that case you're still generally doing token
> revocation by a "client" in some fashion. In UMA, though, several different
> pieces can play the role of a "client" at different parts of the process.
>
> Revoking a scope is a whole different mess. Generally, you'd want to just
> revoke an existing token and make a new authorization grant with lower
> access if you don't want that client getting that scope anymore. If you
> just want to downscope for a single transaction, you can already do that
> with either the refresh token or token chaining approaches, depending on
> where in the process you are. The latter of these are both client-focused,
> though, and the RO doesn't have a direct hand in it at this point.
>
> Why do you think it a mess. If you revoke the entire token then Client
> needs to go through the complete OAuth flow - and also needs to get the
> user consent. If RO can  downgrade the scope, then we restrict API access
> by the client at RS end and its transparent to the client.
>
>
> Downgrading the scope of tokens in the wild is hardly transparent to the
> client (stuff that it expects to work will suddenly start to fail, meaning
> that most clients will throw out the token and try to get a new one), and
> in a distributed system you've got to propagate that change to the RS. If
> you bake the scopes into the token itself (which many do) then you actually
> *can't* downgrade a single token, anyway.
>
> -- Justin
>
> Thanks & regards,
> -Prabath
>
>
>
> -- Justin
>
>
> On 02/06/2013 04:35 AM, Prabath Siriwardena wrote:
> I am sorry if this was already discussed in this list..
>
> Looking at [1] it only talks about revoking the access token from the
> client.
>
> How about the resource owner..?
>
> There can be cases where resource owner needs to revoke an authorized
> access token from a given client. Or revoke an scope..
>
> How are we going to address these requirements..? Thoughts appreciated...
>
> [1] *http://tools.ietf.org/html/draft-ietf-oauth-revocation-04*<http://tools.ietf.org/html/draft-ietf-oauth-revocation-04>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : *+94 71 809 6732* <%2B94%2071%20809%206732>
> *
> **http://blog.facilelogin.com* <http://blog.facilelogin.com/>*
> **http://RampartFAQ.com* <http://rampartfaq.com/>
>
>
> _______________________________________________
> OAuth mailing list
> *OAuth@ietf.org* <OAuth@ietf.org>
> *https://www.ietf.org/mailman/listinfo/oauth*<https://www.ietf.org/mailman/listinfo/oauth>
>
>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
> *
> **http://blog.facilelogin.com* <http://blog.facilelogin.com/>*
> **http://RampartFAQ.com* <http://rampartfaq.com/>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com

v2.23.0 | Report a Bug | By Email