Re: [OAUTH-WG] issuing new refresh tokens
Andrew Arnott <andrewarnott@gmail.com> Tue, 13 July 2010 20:11 UTC
Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1242A3A69D5 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dwj6HbgD5rSX for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:11:14 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 93B763A6888 for <oauth@ietf.org>; Tue, 13 Jul 2010 13:11:09 -0700 (PDT)
Received: by gwj19 with SMTP id 19so1337425gwj.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 13:11:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=i/AZ2xzoTtFqeEIjRtces+ygXGiD/hHDKmQZMo9hjfc=; b=MQlAlRHU/LacFTEc3Ld/4+gTq4LeojMLFL9rRWrwN1nvAIgqlDtVrTSO2x8tam80An +zpil3BP7x8YyoSM4mmYVYOYnI5g7rKtM86BlxqyjfcX0cASjqxyGVXPhNER7qHszEk2 mUC4RuGI8U7rQ+u02kL5CnE6P/PGMTF+hTg2E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=TwSoBWozuv9wefAJDLztfiHBlJn/rtxcq3WdQIKUD+PD6sPvqKHIiCz37bPTZ5PJKd tuzZwkTMyfJQqGJlJb0Ya0MA3yCwudgzj4ryj8we0tVwds9PRC7j4Pg/8YjJzj+Ipznj smq2U4+A0SXmxaJr2RqtO9sMGxeUMLj5IGAyI=
Received: by 10.150.233.21 with SMTP id f21mr7294837ybh.388.1279051876976; Tue, 13 Jul 2010 13:11:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.92.8 with HTTP; Tue, 13 Jul 2010 13:10:56 -0700 (PDT)
In-Reply-To: <AANLkTin9GHCvTA0jQziYW3klZe78Yx1b9Op-eaxJDzEK@mail.gmail.com>
References: <AANLkTin9GHCvTA0jQziYW3klZe78Yx1b9Op-eaxJDzEK@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Tue, 13 Jul 2010 13:10:56 -0700
Message-ID: <AANLkTimP82bx8oO4MiTdpEUxlmJZwZB_FtpNRQGHN3fS@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: multipart/alternative; boundary="000e0cd694c2c6e255048b4a7853"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] issuing new refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 20:11:16 -0000
On Mon, Jul 12, 2010 at 10:36 PM, Brian Eaton <beaton@google.com> wrote: > Draft 10 has the following sentence in section 4.1.4: > http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4 > > "The authorization server MAY issue a new refresh token." > > That carries a surprising amount of baggage. I suggest removing the > sentence, or changing it to MUST NOT, pending a discussion of the use > cases for issuing new refresh tokens. > > Does anyone remember why that sentence got added to the spec? > > There are two reasons I can see for issuing new refresh tokens: > 1) secrets are like underwear, change them frequently > 2) someone has a cryptographically implemented refresh token that > needs to be re-signed or re-issued > > I'm pretty sure anyone issuing cryptographic refresh tokens is crazy, > these pretty much have to be backed by server-side state or there is > no way to run your system. Brian, can you tell me what you mean by cryptographically implemented refresh token, and why using one would be crazy? You say using them would require server-side state. I'd say just the opposite. If you *are* signing your refresh tokens (a cryptographic operation) you don't need to store them on the auth server, but if you aren't using cryptography, then you must store the tokens on the auth server in order to validate them when they come back to you. So in short, I'm thinking the opposite of what you state. So please enlighten me. What am I missing?
- [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing new refresh tokens Andrew Arnott
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Andrew Arnott
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Andrew Arnott
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Kris Selden
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] issuing new refresh tokens Andrew Arnott
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] issuing new refresh tokens Brian Eaton
- Re: [OAUTH-WG] issuing new refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] issuing new refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing new refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] issuing new refresh tokens Stefanie Dronia
- Re: [OAUTH-WG] issuing new refresh tokens Ebling, Sebastian