IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh Tokens

Aaron Parecki <aaron@parecki.com> Fri, 12 August 2011 15:59 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3F821F86E6 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 08:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Level:
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ckaxD5vTD0t for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 08:59:45 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id E877521F855A for <oauth@ietf.org>; Fri, 12 Aug 2011 08:59:44 -0700 (PDT)
Received: by yie12 with SMTP id 12so2400034yie.31 for <oauth@ietf.org>; Fri, 12 Aug 2011 09:00:22 -0700 (PDT)
Received: by 10.147.54.16 with SMTP id g16mr1108288yak.12.1313164822231; Fri, 12 Aug 2011 09:00:22 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id o2sm2351965yhl.57.2011.08.12.09.00.18 (version=SSLv3 cipher=OTHER); Fri, 12 Aug 2011 09:00:18 -0700 (PDT)
Received: by gyf3 with SMTP id 3so2396363gyf.31 for <oauth@ietf.org>; Fri, 12 Aug 2011 09:00:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.172.71 with SMTP id m7mr1001554icz.478.1313164818092; Fri, 12 Aug 2011 09:00:18 -0700 (PDT)
Received: by 10.231.32.194 with HTTP; Fri, 12 Aug 2011 09:00:17 -0700 (PDT)
In-Reply-To: <88f4b10fcf44ac276be338f7eebd5634@lodderstedt-online.de>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA698D45.17CCD%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com> <3CA3D010-E3C1-44A7-BC08-5FA3C83F305A@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A115@SN2PRD0302MB137.namprd03.prod.outlook.com> <90DA4C9C-83E1-4D78-BD6E-340084B4E912@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A1F6@SN2PRD0302MB137.namprd03.prod.outlook.com> <1313105180.20903.YahooMailNeo@web31803.mail.mud.yahoo.com> <D76A379A-A43F-4742-9488-D64FF2A931AE@hueniverse.com> <CA+5SmTWd0+s2=GbkPMDq1XQ+HBTcTCoX8mPwHmGhQGAcNahJNQ@mail.gmail.com> <CAC4RtVBSA1H_40nUVRnJD0_cwRQedJE13TTXNuCUx1QQud9wcQ@mail.gmail.com> <88f4b10fcf44ac276be338f7eebd5634@lodderstedt-online.de>
Date: Fri, 12 Aug 2011 09:00:17 -0700
Message-ID: <CAGBSGjoir+mRiQRb0h7VodDivuB_sbpgKNkvGbK--trew9rj-Q@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="90e6ba6136a283945b04aa51025f"
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 15:59:45 -0000

Many APIs in practice have a method such as "/me" or "/profile" for
applications to retrieve the profile information of the resource owner given
their access token. IMO this is a completely appropriate use of OAuth, even
though the resource owner is no longer anonymous in this case. I agree that
it's implementation specific.

My understanding was that OAuth is designed to give limited, revokable,
and/or temporary access to a third party without revealing the resource
owner's credentials. This has nothing to do with anonymity.

Also this is not unique to refresh tokens, the same applies to access
tokens.

Aaron Parecki


On Fri, Aug 12, 2011 at 8:10 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> OAuth allows a client to access user resources without revealing the
> resource owner's identity to the client. Isn't this anonymity? I consider
> this an important property of the protocol.
>
> regards,
> Torsten.
>
>
>
> On Thu, 11 Aug 2011 21:00:54 -0400, Barry Leiba wrote:
>
>> This seems to need a chair to step in.  Tony is taking a strong stand
>> and maintaining it:
>>
>> On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin
>> <tonynad@microsoft.com> wrote:
>>
>>> Nowhere in the specification is there explanation for refresh tokens, The
>>> reason that the Refresh token was introduced was for anonymity. The
>>> scenario
>>> is that a client asks the user for access. The user wants to grant the
>>> access but not tell the client the user's identity. By issuing the
>>> refresh
>>> token as an 'identifier' for the user (as well as other context data like
>>> the resource) it's possible now to let the client get access without
>>> revealing anything about the user. Recommend that the above explanation
>>> be
>>> included so developers understand why the refresh tokens are there.
>>>
>>
>> So far, though it's been only half a day, I've seen several posts
>> disagreeing with Tony, and none supporting any change to the text for
>> this.  We're close to ending WGLC, so please post here if you agree
>> with Tony's suggested change.  Otherwise, it looks like consensus is
>> against.
>>
>> Barry, as chair
>> ______________________________**_________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>
>
> ______________________________**_________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>

v2.23.0 | Report a Bug | By Email