Re: [OAUTH-WG] survey: token revocation design options
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 17 August 2010 18:57 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25A403A6859 for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 11:57:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.079
X-Spam-Level:
X-Spam-Status: No, score=-2.079 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPg44qCRHoIN for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 11:57:46 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id E25463A67EB for <oauth@ietf.org>; Tue, 17 Aug 2010 11:57:45 -0700 (PDT)
Received: from [79.253.20.40] (helo=[192.168.71.22]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OlRMZ-0007Ha-AG; Tue, 17 Aug 2010 20:58:19 +0200
Message-ID: <4C6ADBD4.9010500@lodderstedt.net>
Date: Tue, 17 Aug 2010 20:58:28 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: igor.faynberg@alcatel-lucent.com
References: <4C69A909.2060006@lodderstedt.net> <4C69BA3A.8060005@alcatel-lucent.com>
In-Reply-To: <4C69BA3A.8060005@alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] survey: token revocation design options
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 18:57:47 -0000
Igor,
1c does not further narrow down the character set for tokens. It instead
establishes an additional (URL-safe) id. That way no change is needed on
existing token formats and the existing protocol definition. This could
be combined with 1a or 1b but why? To cope with URL length restrictions?
regards,
Torsten.
Am 17.08.2010 00:22, schrieb Igor Faynberg:
> Torsten,
>
> This really captures everything!
>
> Option 1a is the best fit for me (and this is really only my personal
> opinion). (Incidentally, 1c, looks to me like it is not a separate
> option as it could be implemented along both 1a and 1b. I suspect I
> missed something; if not, I would change my vote to 1c or 1a+1c.)
>
> Looking forward to seening the new I-D,
>
> Igor
>
> Torsten Lodderstedt wrote:
>> Hi all,
>>
>> I intend to submit a I-D for token revocation. Based on previous
>> discussions on the mailing list and here at Deutsche Telekom, I see a
>> couple of design options. I would like to share those options with
>> the WG and try to reach consensus on a single option before investing
>> the time to write the I-D.
>>
>> 1) HTTP Delete on tokens endpoint
>>
>> DELETE seems a natural way for revoking (deleting) tokens. Although
>> the HTTP spec is a bit vaque in this concern, current practice
>> prohibits a body for DELETE requests. So the token must be addressed
>> by the request's URI. Lets assume the token is passed as URI query
>> parameter as follows:
>>
>> DELETE /tokens?refresh_token=8xLOxBtZp8&&&# HTTP/1.1
>> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>>
>> But is it advisable to pass tokens as URI query parameters? The
>> current character set definition for access tokens (§5.1.1) is not
>> URL-safe since it includes URI reserved characters (e.g. '/').
>> Additionally, there is no definition of a refresh tokens character
>> set. So compliant authorization servers could issue tokens, which
>> cannot be safely passed as URI query parameters.
>>
>> Note: As an additional challenge, self-contained tokens can be very
>> large. So passing them as URI parameter may exceed URL length limits.
>>
>> I see the following alternatives to cope with the encoding problem:
>>
>> a) Force usage of a URL-safe character set for access and request
>> tokens.
>> - rather restrictive, will most likely collide with existing token
>> formats
>> - does not solve URL length problem
>>
>> b) Force base64-URL-safe encoding for all tokens on transit.
>> - does not solve URL length problem
>> - significant API change
>>
>> c) Authorization servers supporting revocation may additionally issue
>> a URL-safe token id in the access token response. This id is used to
>> reference the token in DELETE requests.
>>
>> HTTP/1.1 200 OK
>> Content-Type: application/json
>> Cache-Control: no-store
>> {
>> "access_token":"SlAV32hkKG/hhh/&%",
>> "access_token_id":"234567890",
>> "expires_in":3600,
>> "refresh_token":"8xLOxBtZp8&&&#&",
>> "refresh_token_id":"asdfghjklhgf"
>> }
>>
>>
>> DELETE /tokens?refresh_token_id=asdfghjklhgf HTTP/1.1
>> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>>
>> Note: Since tokens become addressable resources on the authz server,
>> one could also query or modify token data using a GET/PUT requests
>>
>> GET /tokens?refresh_token_id=asdfghjklhgf HTTP/1.1
>> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>>
>> HTTP/1.1 200 OK
>> Content-Type: application/json
>> Cache-Control: no-store
>>
>> {
>> "scope":"abc",
>> "issued_on":"08/11/2010",
>> "last_usage":"08/13/2010" }
>>
>>
>> 2) HTTP Post on dedicated revocation endpoint
>>
>> An additional endpoint is used to revoke tokens. The token to be
>> revoked is sent as request body parameter.
>>
>> POST /revocation HTTP/1.1
>> Host: server.example.com
>> Content-Type: application/x-www-form-urlencoded
>> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>>
>> refresh_token=n4E9O119d
>>
>> This option requires some support for the client to discover the
>> revocation endpoint.
>>
>> Please indicate your prefered option (1a, 1b, 1c, and 2) or suggest
>> additional design options.
>>
>> regards,
>> Torsten.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] survey: token revocation design options Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Igor Faynberg
- Re: [OAUTH-WG] survey: token revocation design op… Lukas Rosenstock
- Re: [OAUTH-WG] survey: token revocation design op… Justin Richer
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Igor Faynberg
- Re: [OAUTH-WG] survey: token revocation design op… Stefanie Dronia
- Re: [OAUTH-WG] survey: token revocation design op… Marius Scurtescu
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt