Re: [OAUTH-WG] Token expiration
Hubert Le Van Gong <hubertlvg@gmail.com> Mon, 21 September 2009 23:00 UTC
Return-Path: <hubertlvg@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C25273A689A for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 16:00:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.359
X-Spam-Level:
X-Spam-Status: No, score=-2.359 tagged_above=-999 required=5 tests=[AWL=0.240, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94PhRyOtpW2O for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 16:00:00 -0700 (PDT)
Received: from mail-bw0-f210.google.com (mail-bw0-f210.google.com [209.85.218.210]) by core3.amsl.com (Postfix) with ESMTP id 36CA63A67F7 for <oauth@ietf.org>; Mon, 21 Sep 2009 16:00:00 -0700 (PDT)
Received: by bwz6 with SMTP id 6so2278958bwz.37 for <oauth@ietf.org>; Mon, 21 Sep 2009 16:00:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=phQeQ8o7a2V9mMLVM2SiODNAIZi9p3IaMb2pwlqGCBU=; b=kkLvtms1Dh5QXmW8YnqBGPQe7v/ZELGK2++J4CfQqXf39GkeNv+AGZFvGvOWXMieHu rqOUbwdA+1BErkRxrOgk8jCco+E64M92eyJnyf6WkJ7gjNu9c5qXs+7dmm1CC5Xp6AA6 x+4O3ozYzumWkQUFyGHbOpMTxCAnfvplcdoMM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=rarXgmGeJFem+0yzmgPsEgnzWIJMB/ROguX+JKDCCuJb8Bs76sFIVIXEBAKpZMOgD1 GtrymZDRd62yGBAkpF4SBEso20mqgqWBePBIC5ZhFUjZMcox9qb0acu8nxYE92WAopVI hBPuM1SeHXEhA+cQByURw3bsMgrnKBrzbPMMc=
MIME-Version: 1.0
Received: by 10.204.157.24 with SMTP id z24mr132209bkw.208.1253574058086; Mon, 21 Sep 2009 16:00:58 -0700 (PDT)
In-Reply-To: <adb0b2880909211547sd75fddfjdb2e9d31d2e825d4@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D584A3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <6c0fd2bc0909211441o3eacc564t2917cf5b94f99800@mail.gmail.com> <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com> <6c0fd2bc0909211534s1f2b79c6m7577dee31accf9c7@mail.gmail.com> <adb0b2880909211547sd75fddfjdb2e9d31d2e825d4@mail.gmail.com>
Date: Tue, 22 Sep 2009 01:00:58 +0200
Message-ID: <6c0fd2bc0909211600n541ef6d8g402c8596062e14f8@mail.gmail.com>
From: Hubert Le Van Gong <hubertlvg@gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] Token expiration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 23:00:01 -0000
In theory I'd agree with you but...
(1) there are ways of achieving reasonable clock sync nowadays
(2) usually the validity period is long enough that the clocks are
considered roughly in sync.
(3) the n seconds means I can keep the token for a very long period
of time and present it? Unless you meant seconds starting from
the sender's clock, in which case we're back to the same issue.
If the token is for a sensitive resource, one can still impose a one time use...
My 2 cents,
Hubert
On Tue, Sep 22, 2009 at 12:47 AM, Jonathan Sergent <sergent@google.com> wrote:
> IMO, it's problematic that this relies on clock synchronization
> between the sender and the receiver to work. This is a constant
> source of problems in need of debugging for us today. Why not specify
> times like this using intervals? "This token is valid for the next n
> seconds."
>
> On Mon, Sep 21, 2009 at 3:34 PM, Hubert Le Van Gong <hubertlvg@gmail.com> wrote:
>> An interesting example (to me at least since we use it) is the SAML token.
>> You have the ability to define three dates:
>> - IssueInstant: the time of issue of the token [required]
>> - NotBefore: time before which the token's invalid [optional]
>> - NotOnOrAfter: time after which the token becomes invalid [optional]
>>
>> All are dateTime (in UTC form).
>>
>> Thanks,
>> Hubert
>>
>>
>> On Tue, Sep 22, 2009 at 12:22 AM, Chris Messina <chris.messina@gmail.com> wrote:
>>> Seems like it'd be worth documenting existing approaches to this... what do
>>> other similar APIs do?
>>> I know I harp on this approach to technology development, but that was how
>>> OAuth was developed (for better or worse): by looking at existing practices,
>>> extracting convention, and codifying ]ideally] best practices.
>>> If this is common and working elsewhere, can't we just imitate it?
>>> Chris
>>>
>>> On Mon, Sep 21, 2009 at 2:41 PM, Hubert Le Van Gong <hubertlvg@gmail.com>
>>> wrote:
>>>>
>>>> It is obviously useful to have. In fact it's so useful I'll bet most
>>>> token format
>>>> used do include one. Having it outside the token becomes redundant then
>>>> but
>>>> maybe it's not that bad.
>>>>
>>>> BTW why not using dateTime (http://www.w3.org/TR/xmlschema-2/#dateTime)?
>>>>
>>>> Cheers,
>>>> Hubert
>>>>
>>>>
>>>> On Mon, Sep 21, 2009 at 11:25 PM, Eran Hammer-Lahav <eran@hueniverse.com>
>>>> wrote:
>>>> > Should the core spec support the ability to indicate the duration of
>>>> > token credentials? This would be an addition to the web delegation draft [1]
>>>> > in section 6 (Token Credentials) in the form of a new response parameter,
>>>> > something like:
>>>> >
>>>> > oauth_token_duration
>>>> > The token duration specified in second from the time of the HTTP
>>>> > response timestamp.
>>>> >
>>>> > This has been consistently at the top of missing core funcationality.
>>>> >
>>>> >
>>>> > EHL
>>>> >
>>>> > [1] http://tools.ietf.org/html/draft-ietf-oauth-web-delegation-01
>>>> >
>>>> > _______________________________________________
>>>> > OAuth mailing list
>>>> > OAuth@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>> >
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Open Web Advocate
>>>
>>> Personal: http://factoryjoe.com
>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>
>>> Citizen Agency: http://citizenagency.com
>>> Diso Project: http://diso-project.org
>>> OpenID Foundation: http://openid.net
>>>
>>> This email is: [ ] shareable [X] ask first [ ] private
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
- [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Chris Messina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Marcel Molina
- Re: [OAUTH-WG] Token expiration Hubert Le Van Gong
- Re: [OAUTH-WG] Token expiration Eran Hammer-Lahav
- Re: [OAUTH-WG] Token expiration Jonathan Sergent
- Re: [OAUTH-WG] Token expiration Chris Messina