Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
Vivek Biswas <vivek_biswas@yahoo.com> Wed, 21 October 2015 20:27 UTC
Return-Path: <vivek_biswas@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A960A1B2EAB for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 13:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y19DviBoPDyW for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 13:27:49 -0700 (PDT)
Received: from nm8-vm3.bullet.mail.ne1.yahoo.com (nm8-vm3.bullet.mail.ne1.yahoo.com [98.138.91.138]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463381B2EA3 for <oauth@ietf.org>; Wed, 21 Oct 2015 13:27:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1445459267; bh=T2NEHEk8GH2Ad/BH5TIe4VereordYqtXaB22La5yqUw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=R/Qlf05ysdbW6u4PfYByOpupMSvcWOHlQVkvAu7rjfLVFqzG9N9MHcp+sz3jnVvmHDG42WlXEScGfAd9bsh3zbOFAPhpjpg2jluJSg6rSBlvWu7ZTwezS8NO0fN8hYo/uaViwvkvsPnAvpwsHZztIfWnx/+P2eeJo6ECHD+H9aUlTcmgMErPt/e9DXb4zZdJGibZEWo/+E/fovWWBlDTF0OpWrsm38c3kUKsV9Mk22OV5EvceAlJfvu/SGTDYRcsbAYcQG9VaWHaiQ1pw+KYUemMioAm34Or3hFBWnfWf4WDWEH/KTRIbq5RSZq/F4zO4QRFRq1kCwL+ba40r6z+8w==
Received: from [98.138.100.118] by nm8.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 20:27:47 -0000
Received: from [98.138.89.166] by tm109.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 20:27:47 -0000
Received: from [127.0.0.1] by omp1022.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 20:27:47 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 583925.47843.bm@omp1022.mail.ne1.yahoo.com
X-YMail-OSG: duTgFEkVM1m2K7CpQyrLJsNKmVhEmF7PG2MwxS2IlA61WsRoPy_VPnA54WpEKxI MjE_VSGNdXpThLiar_OReSgqr1uELVV0nLHoHaCxg8omdpVhrL5OYM0KCtEztB4r8xuw84IbQVvo Xft0ggbVids2_KlmF9sKfNnKRWjY6PwwHSkNXq0alyzJ61ekoIxm5oruosClzRUDhYMGHPU9vQ_m UW_oH0Z.Ygf.nTa.xS6F4YLaQtXGemG.DLsU9HhnFjwrb8canEmM2vlrwkkNgvFmaWU44A_D7Igr 2mwn4ke6lCD9Y7w4CcT0e.X1babF0yauYtiRXODmkz_naGuQ9EM5ZRWNoOMsvTjqNbg_Nutaow4m VZ_tuMqz5oTYKEi3_Lapxyg4N9qyWVVKSPNFLrWz8CGXZtri_ef._2y6qKcoJjbVU3BBeIdgjjMt u7oO4aLcyLEpi6H5V1y27eAb_x3R0NbR5XM972TU9emyNLHiUFpBKuthpRRPwQyf5aJxh3shLu8p Mbdnoquxs6S_7AbZjZg--
Received: by 98.138.101.163; Wed, 21 Oct 2015 20:27:47 +0000
Date: Wed, 21 Oct 2015 20:27:46 +0000
From: Vivek Biswas <vivek_biswas@yahoo.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <1629428037.1277959.1445459266645.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <BC3FBA11-9796-470D-A7FF-722E5A1D53D0@gmail.com>
References: <BC3FBA11-9796-470D-A7FF-722E5A1D53D0@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1277958_975821870.1445459266638"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/UIUPSMrmO7Y19mjteiNbeThYPXo>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Vivek Biswas <vivek_biswas@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 20:27:51 -0000
Yes indeed a nice job !!!!.
I have one question on the RFC.
Not sure where I can submit request for comments. Hence, adding to this email thread
In the use-case mentioned belowThe following is a non-normative example response for a token that
has been revoked or is otherwise invalid:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}
Where the token is revoked or invalid, why not send a HTTP response code of 400
There are 2 benefits for the same.A. Just looking at the header, we know that token validation didn't went through. No need to look in the payload. This is especially very helpful in gateway design implementation.
B. You are further hiding from the user why the request failed and not letting him know if the token was processed by the server.
CheersVivek
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Sent: Wednesday, October 21, 2015 4:47 AM
Subject: Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
Yes, nice job!
Sent from my iPhone
> On Oct 21, 2015, at 4:20 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
> Thank you Justin for the hard work!
>
>> On 10/20/2015 06:32 PM, Justin Richer wrote:
>> Thank you to everyone who helped make token introspection into a real standard!
>>
>> — Justin
>>
>>> On Oct 19, 2015, at 6:56 PM, rfc-editor@rfc-editor.org wrote:
>>>
>>> A new Request for Comments is now available in online RFC libraries.
>>>
>>>
>>> RFC 7662
>>>
>>> Title: OAuth 2.0 Token Introspection
>>> Author: J. Richer, Ed.
>>> Status: Standards Track
>>> Stream: IETF
>>> Date: October 2015
>>> Mailbox: ietf@justin.richer.org
>>> Pages: 17
>>> Characters: 36591
>>> Updates/Obsoletes/SeeAlso: None
>>>
>>> I-D Tag: draft-ietf-oauth-introspection-11.txt
>>>
>>> URL: https://www.rfc-editor.org/info/rfc7662
>>>
>>> DOI: http://dx.doi.org/10.17487/RFC7662
>>>
>>> This specification defines a method for a protected resource to query
>>> an OAuth 2.0 authorization server to determine the active state of an
>>> OAuth 2.0 token and to determine meta-information about this token.
>>> OAuth 2.0 deployments can use this method to convey information about
>>> the authorization context of the token from the authorization server
>>> to the protected resource.
>>>
>>> This document is a product of the Web Authorization Protocol Working Group of the IETF.
>>>
>>> This is now a Proposed Standard.
>>>
>>> STANDARDS TRACK: This document specifies an Internet Standards Track
>>> protocol for the Internet community, and requests discussion and suggestions
>>> for improvements. Please refer to the current edition of the Official
>>> Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
>>> standardization state and status of this protocol. Distribution of this
>>> memo is unlimited.
>>>
>>> This announcement is sent to the IETF-Announce and rfc-dist lists.
>>> To subscribe or unsubscribe, see
>>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>> https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>>>
>>> For searching the RFC series, see https://www.rfc-editor.org/search
>>> For downloading RFCs, see https://www.rfc-editor.org/rfc.html
>>>
>>> Requests for special distribution should be addressed to either the
>>> author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless
>>> specifically noted otherwise on the RFC itself, all RFCs are for
>>> unlimited distribution.
>>>
>>>
>>> The RFC Editor Team
>>> Association Management Solutions, LLC
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspect… rfc-editor
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Justin Richer
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Hannes Tschofenig
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Kathleen Moriarty
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Vivek Biswas
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Justin Richer