IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Anthony Nadalin <tonynad@microsoft.com> Thu, 24 January 2013 16:03 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0EC821F8951 for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 08:03:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYTi8r2mNBvu for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 08:03:42 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.27]) by ietfa.amsl.com (Postfix) with ESMTP id 362C421F8942 for <oauth@ietf.org>; Thu, 24 Jan 2013 08:03:41 -0800 (PST)
Received: from BL2FFO11FD004.protection.gbl (10.173.161.203) by BL2FFO11HUB028.protection.gbl (10.173.161.52) with Microsoft SMTP Server (TLS) id 15.0.596.13; Thu, 24 Jan 2013 16:03:39 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD004.mail.protection.outlook.com (10.173.160.104) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Thu, 24 Jan 2013 16:03:39 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 24 Jan 2013 16:03:13 +0000
Received: from mail220-co1-R.bigfish.com (10.243.78.216) by CO1EHSOBE014.bigfish.com (10.243.66.77) with Microsoft SMTP Server id 14.1.225.23; Thu, 24 Jan 2013 15:59:53 +0000
Received: from mail220-co1 (localhost [127.0.0.1]) by mail220-co1-R.bigfish.com (Postfix) with ESMTP id 9C87780396 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 24 Jan 2013 15:59:53 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -19
X-BigFish: PS-19(zzbb2dI98dI9371Id6eah542Izz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL8275dhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail220-co1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT001.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB043; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail220-co1 (localhost.localdomain [127.0.0.1]) by mail220-co1 (MessageSwitch) id 1359043126812105_4073; Thu, 24 Jan 2013 15:58:46 +0000 (UTC)
Received: from CO1EHSMHS015.bigfish.com (unknown [10.243.78.215]) by mail220-co1.bigfish.com (Postfix) with ESMTP id B9D6724056B; Thu, 24 Jan 2013 15:58:46 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by CO1EHSMHS015.bigfish.com (10.243.66.25) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 24 Jan 2013 15:58:40 +0000
Received: from BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.257.4; Thu, 24 Jan 2013 15:58:40 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) with Microsoft SMTP Server (TLS) id 15.0.601.3; Thu, 24 Jan 2013 15:58:38 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) with mapi id 15.00.0601.000; Thu, 24 Jan 2013 15:58:37 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
Thread-Index: Ac35p+wOnP9UzK9BQMG59YbBjTobdAAHPkAQAB4kyAAAA1FVAA==
Date: Thu, 24 Jan 2013 15:58:36 +0000
Message-ID: <269c48631ede4fc59c949b9f43f91c05@BY2PR03MB041.namprd03.prod.outlook.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com> <5101425A.6080905@mitre.org>
In-Reply-To: <5101425A.6080905@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.168]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB043.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(479174001)(13464002)(377454001)(24454001)(189002)(16676001)(5343655001)(53806001)(23726001)(47736001)(6806001)(4396001)(550184003)(50466001)(49866001)(47976001)(50986001)(51856001)(56776001)(79102001)(33646001)(63696002)(54356001)(54316002)(76482001)(46406002)(31966008)(46102001)(74502001)(56816002)(74662001)(44976002)(47446002)(77982001)(59766001)(47776003)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB028; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073631BD3D
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2013 16:03:44 -0000

Ugggg uggg

1. we keep punting on discovery, this has an impact on security of where I send my credentials and token, can't see punting yet again here
2. OK, make this explicit in specification
3. if you have an auth_code you should be able to use it, agree not all will have it but some will
4. MAY seems a better choice
5. Make it explicit in the spec one way or the other, too vague now
6. How does one find the policy, as this has an impact on #7
7. There is a big difference here in enforcement, the client should not have to enforce this rule, the client may not know due to policy that revoking 1 token revokes other tokens thus the client would have to know the servers policy. This should be a SHOULD not MUST

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org] 
Sent: Thursday, January 24, 2013 6:17 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Not to jump in and answer for Torsten, but I thought I'd  offer at least my understanding of the document:

On 01/23/2013 06:54 PM, Anthony Nadalin wrote:
> 1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?
It could be separate if your architecture can support that. It gets found the same way other OAuth endpoints get found -- configuration documents, some kind of discovery mechanism, or magic. Which is to say, that's not currently OAuth's problem.

> 2.       Any token type that is supported can be revoked, including refresh token ?
That's the idea. We've implemented this on our OIDC server so that you can also revoke ID Tokens for session management purposes.

> 3.       Why does one have to send the token, can't this just be an auth_code ?
You don't always use an auth code to get a token (think implicit, client credentials, assertion, or resource owner credentials flows), and auth codes are supposed to be thrown away after use anyway.

> 4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS
If they have issues, which is to say "A good reason not to", then they don't have to support it. That's the semantics behind "SHOULD", and so it is fine here.

> 5.       Does not say but is the revocation to be immediate upon the return of the request ?
This is implementation dependent. Large scale distributed implementations could have trouble making this "immediate", but small systems are more likely to be quick. From the client's perspective, if they get back a success response, they shouldn't count on that token being good anymore (see section 2 note about client behavior).

> 6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?
That's a policy decision.

> 7.       Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.
Why would a client want to use a token that they just revoked? This is prescribing the desired correct behavior to a client so that client developers will do the right thing when they implement it. Isn't that the point of the spec?

  -- Justin

v2.23.0 | Report a Bug | By Email