IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 26 February 2011 12:38 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A42D23A683C; Sat, 26 Feb 2011 04:38:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.215
X-Spam-Level:
X-Spam-Status: No, score=-2.215 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XQ5pregnxHP; Sat, 26 Feb 2011 04:38:19 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.28]) by core3.amsl.com (Postfix) with ESMTP id 6F5CB3A6800; Sat, 26 Feb 2011 04:38:19 -0800 (PST)
Received: from [79.253.40.1] (helo=[192.168.71.49]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1PtJQX-00016N-Fw; Sat, 26 Feb 2011 13:39:13 +0100
Message-ID: <4D68F471.3090204@lodderstedt.net>
Date: Sat, 26 Feb 2011 13:39:13 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F44@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTi=tvwsR=_EhPRkYEwC+ERwRCNN2aAWDqRDvwx8B@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A315638493F514F@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTimxhoK1vt8HwSF9dvu4Z5xjqrLLb2SULj9pp=9b@mail.gmail.com> <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F9A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTindJ3oGpggvZ7jRJ4TRhTRomyZG+DwLOfbHD2kq@mail.gmail.com> <OFEFAF96E1.1837BBD4-ON8025783B.0040108E-8025783B.0040FF69@ie.ibm.com> <AANLkTi=PnOmyaMnNrGgPnOO_wtF8b_=v99wiR5ospHLH@mail.gmail.com>
In-Reply-To: <AANLkTi=PnOmyaMnNrGgPnOO_wtF8b_=v99wiR5ospHLH@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Feb 2011 12:38:21 -0000

Am 18.02.2011 18:40, schrieb Marius Scurtescu:
> On Fri, Feb 18, 2011 at 3:49 AM, Mark Mcgloin<mark.mcgloin@ie.ibm.com>  wrote:
>> Marius
>>
>> Isn't the risk of the refresh token leaking the same as the risk of the
>> access token leaking, i.e. why not provide both?
> Sure, but refresh tokens never die.

One can replace the refresh token with every refresh request, so the 
impact of a refresh token leakage could be reduced to that of a leaked 
access token.

I'm in favour to add the refresh token parameter to the implicit grant 
flow as it would make it more useable for native apps. On the other 
hand, requirements of the authorization code flow could be strengthened 
to require client authentication.

regards,
Torsten.

>
>> IMO, the refresh token
>> just provides a server side mechanism for revoking access, where resource
>> servers are distributed, through having short lived access tokens
>>
>> Of course, the refresh access token flow currently requires a secret so
>> would need to be changed or alternative flow introduced. Will wait for
>> details of how auth code flow can be used
> The flow is not changing. For native apps the client secret can either
> be declared optional, or a "well known secret" can be issued for
> native apps.
>
> The authorization server can also insist that each native app has a
> unique secret and it must guard it, that may or may not make sense.
>
> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email