[OAUTH-WG] Refresh tokens
"Bart Wiegmans" <bart@all4students.nl> Mon, 28 November 2011 15:12 UTC
Return-Path: <bart@all4students.nl>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E99721F8801 for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 07:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.696
X-Spam-Level: **
X-Spam-Status: No, score=2.696 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_38=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXNfVjDf0r3D for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 07:12:51 -0800 (PST)
Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id CC26721F86F6 for <oauth@ietf.org>; Mon, 28 Nov 2011 07:12:49 -0800 (PST)
Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id B2688943A4 for <oauth@ietf.org>; Mon, 28 Nov 2011 16:12:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:from:to; s=selector1; bh=3YD6eaVTxhcTuHX5L0CIp3REP3U =; b=RDW27gcc59QIMK5KHSpPRcrdWSSONlc9NzhGMAmQGtD8bkOSR6Wu8FGDTIk LxnUFpexlnZ8OMjRMQUmQNU4VdxraP0QydiUxJmBRBPYuM0lkK8VNqmpkqOPHRZI T1l/WrTBIa/A8V/EsbHM+ieKfdQn+3pEWVfWnqcW3v54v+Gs=
Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id 730BD943A2 for <oauth@ietf.org>; Mon, 28 Nov 2011 16:12:47 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 28 Nov 2011 16:12:46 +0100
Message-ID: <AEDA1B65E9329448939CEFA895C129E203850B03@studentserver.studentennet.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Refresh tokens
Thread-Index: Acyt2/bOtM27kC+bR6Gqmw6v1flLWw==
From: Bart Wiegmans <bart@all4students.nl>
To: oauth WG <oauth@ietf.org>
Subject: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 15:12:55 -0000
Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens? About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type. With kind regards, Bart Wiegmans | Developer
- [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Kris Selden
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens William J. Mills
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Phil Hunt
- Re: [OAUTH-WG] Refresh tokens Lodderstedt, Torsten
- [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens William Mills
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav