[OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries

Andreas Åkre Solberg <andreas.solberg@uninett.no> Mon, 09 January 2012 08:43 UTC

Return-Path: <andreas.solberg@uninett.no>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 85AC921F8697 for <oauth@ietfa.amsl.com>; Mon, 9 Jan 2012 00:43:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DM+AnpGFxMAK for <oauth@ietfa.amsl.com>; Mon, 9 Jan 2012 00:43:18 -0800 (PST)
Received: from epost.uninett.no (epost.uninett.no [IPv6:2001:700:0:526:158:38:180:100]) by ietfa.amsl.com (Postfix) with ESMTP id 6C00C21F856A for <oauth@ietf.org>; Mon, 9 Jan 2012 00:43:18 -0800 (PST)
Received: from dmanso-11.uninett.no (dmanso-11.uninett.no []) by epost.uninett.no (Postfix) with ESMTPS id B1948336145 for <oauth@ietf.org>; Mon, 9 Jan 2012 09:43:17 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: multipart/signed; boundary="Apple-Mail=_6474D1F6-54A1-4585-9557-442305072ECA"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Andreas Åkre Solberg <andreas.solberg@uninett.no>
Resent-From: Andreas Åkre Solberg <andreas.solberg@uninett.no>
Date: Mon, 09 Jan 2012 09:41:21 +0100
Resent-Date: Mon, 09 Jan 2012 09:43:17 +0100
Resent-To: oauth@ietf.org
Message-Id: <048EBD85-F1B7-436F-953F-3E22DEC44DE3@uninett.no>
To: oauth@ietf.org
X-Mailer: Apple Mail (2.1251.1)
Resent-Message-Id: <20120109084317.B1948336145@epost.uninett.no>
Subject: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2012 08:43:19 -0000


I'm trying to do an OAuth 2.0 library, and got a question:

I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints.

If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary.

I'm sorry if the answer is obvious. 

Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers.