Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id F0EC821F8951 for <oauth@ietfa.amsl.com>;
 Thu, 24 Jan 2013 08:03:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level: 
X-Spam-Status: No,
 score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599,
 UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYTi8r2mNBvu for
 <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 08:03:42 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com
 (na01-by2-obe.ptr.protection.outlook.com [207.46.100.27]) by ietfa.amsl.com
 (Postfix) with ESMTP id 362C421F8942 for <oauth@ietf.org>;
 Thu, 24 Jan 2013 08:03:41 -0800 (PST)
Received: from BL2FFO11FD004.protection.gbl (10.173.161.203) by
 BL2FFO11HUB028.protection.gbl (10.173.161.52) with Microsoft SMTP Server
 (TLS) id 15.0.596.13; Thu, 24 Jan 2013 16:03:39 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by
 BL2FFO11FD004.mail.protection.outlook.com (10.173.160.104) with Microsoft
 SMTP Server (TLS) id 15.0.596.13 via Frontend Transport;
 Thu, 24 Jan 2013 16:03:39 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.81) by
 mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id
 14.2.318.3; Thu, 24 Jan 2013 16:03:13 +0000
Received: from mail220-co1-R.bigfish.com (10.243.78.216) by
 CO1EHSOBE014.bigfish.com (10.243.66.77) with Microsoft SMTP Server id
 14.1.225.23; Thu, 24 Jan 2013 15:59:53 +0000
Received: from mail220-co1 (localhost [127.0.0.1])	by
 mail220-co1-R.bigfish.com (Postfix) with ESMTP id 9C87780396	for
 <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>;
 Thu, 24 Jan 2013 15:59:53 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null);
 UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal;
 EFV:INT
X-SpamScore: -19
X-BigFish: PS-19(zzbb2dI98dI9371Id6eah542Izz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL8275dhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail220-co1: transitioning domain of microsoft.com
 does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21;
 envelope-from=tonynad@microsoft.com;
 helo=BL2PRD0310HT001.namprd03.prod.outlook.com ; .outlook.com ; 
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1;
 SRVR:BY2PR03MB043; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en; 
Received: from mail220-co1 (localhost.localdomain [127.0.0.1]) by mail220-co1
 (MessageSwitch) id 1359043126812105_4073;
 Thu, 24 Jan 2013 15:58:46 +0000 (UTC)
Received: from CO1EHSMHS015.bigfish.com (unknown [10.243.78.215])	by
 mail220-co1.bigfish.com (Postfix) with ESMTP id B9D6724056B;
 Thu, 24 Jan 2013 15:58:46 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by
 CO1EHSMHS015.bigfish.com (10.243.66.25) with Microsoft SMTP Server (TLS) id
 14.1.225.23; Thu, 24 Jan 2013 15:58:40 +0000
Received: from BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) by
 BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP
 Server (TLS) id 14.16.257.4; Thu, 24 Jan 2013 15:58:40 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by
 BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) with Microsoft SMTP
 Server (TLS) id 15.0.601.3; Thu, 24 Jan 2013 15:58:38 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) by
 BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) with mapi id
 15.00.0601.000; Thu, 24 Jan 2013 15:58:37 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
Thread-Index: Ac35p+wOnP9UzK9BQMG59YbBjTobdAAHPkAQAB4kyAAAA1FVAA==
Date: Thu, 24 Jan 2013 15:58:36 +0000
Message-ID: <269c48631ede4fc59c949b9f43f91c05@BY2PR03MB041.namprd03.prod.outlook.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
 <5101425A.6080905@mitre.org>
In-Reply-To: <5101425A.6080905@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [131.107.192.168]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB043.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI;
 EFV:NLI; SFV:NSPM;
 SFS:(199002)(479174001)(13464002)(377454001)(24454001)(189002)(16676001)(5343655001)(53806001)(23726001)(47736001)(6806001)(4396001)(550184003)(50466001)(49866001)(47976001)(50986001)(51856001)(56776001)(79102001)(33646001)(63696002)(54356001)(54316002)(76482001)(46406002)(31966008)(46102001)(74502001)(56816002)(74662001)(44976002)(47446002)(77982001)(59766001)(47776003)(42262001)(24736002);
 DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB028;
 H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en; 
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073631BD3D
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2013 16:03:44 -0000

Ugggg uggg

1. we keep punting on discovery, this has an impact on security of where I =
send my credentials and token, can't see punting yet again here
2. OK, make this explicit in specification
3. if you have an auth_code you should be able to use it, agree not all wil=
l have it but some will
4. MAY seems a better choice
5. Make it explicit in the spec one way or the other, too vague now
6. How does one find the policy, as this has an impact on #7
7. There is a big difference here in enforcement, the client should not hav=
e to enforce this rule, the client may not know due to policy that revoking=
 1 token revokes other tokens thus the client would have to know the server=
s policy. This should be a SHOULD not MUST

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Thursday, January 24, 2013 6:17 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Not to jump in and answer for Torsten, but I thought I'd  offer at least my=
 understanding of the document:

On 01/23/2013 06:54 PM, Anthony Nadalin wrote:
> 1.       Since not stated I assume that the Revocation Endpoint can exist=
 on a different server from the Authorization server (or is it assumed that=
 they are 1), if so how is the Revocation Endpoint found?
It could be separate if your architecture can support that. It gets found t=
he same way other OAuth endpoints get found -- configuration documents, som=
e kind of discovery mechanism, or magic. Which is to say, that's not curren=
tly OAuth's problem.

> 2.       Any token type that is supported can be revoked, including refre=
sh token ?
That's the idea. We've implemented this on our OIDC server so that you can =
also revoke ID Tokens for session management purposes.

> 3.       Why does one have to send the token, can't this just be an auth_=
code ?
You don't always use an auth code to get a token (think implicit, client cr=
edentials, assertion, or resource owner credentials flows), and auth codes =
are supposed to be thrown away after use anyway.

> 4.       Says CORS SHOULD be supported, I think a MAY be better here sinc=
e a site may have issues supporting CORS
If they have issues, which is to say "A good reason not to", then they don'=
t have to support it. That's the semantics behind "SHOULD", and so it is fi=
ne here.

> 5.       Does not say but is the revocation to be immediate upon the retu=
rn of the request ?
This is implementation dependent. Large scale distributed implementations c=
ould have trouble making this "immediate", but small systems are more likel=
y to be quick. From the client's perspective, if they get back a success re=
sponse, they shouldn't count on that token being good anymore (see section =
2 note about client behavior).

> 6.       Does the revocation of the access token also revoke the refresh =
token (if it was provided) ? Or is this a revocation policy decision ?
That's a policy decision.

> 7.       Section 2 says "the client MUST NOT use this token again", well =
that seems odd, not sure this should be here as the client could try to use=
 it gain, there is no need to put support in client to prevent this.
Why would a client want to use a token that they just revoked? This is pres=
cribing the desired correct behavior to a client so that client developers =
will do the right thing when they implement it. Isn't that the point of the=
 spec?

  -- Justin