Re: [OAUTH-WG] Remark on OAuth Device Flow Draft 12
William Denniss <wdenniss@google.com> Thu, 06 September 2018 20:30 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7045130EBC for <oauth@ietfa.amsl.com>; Thu, 6 Sep 2018 13:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9n7iQHWvRmrP for <oauth@ietfa.amsl.com>; Thu, 6 Sep 2018 13:30:57 -0700 (PDT)
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98D60130E9D for <oauth@ietf.org>; Thu, 6 Sep 2018 13:30:57 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id h1-v6so10162986uao.8 for <oauth@ietf.org>; Thu, 06 Sep 2018 13:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/I7yzMC7qP9VIw2LOsSuvBwnZ/4sgGTdVRpCB99LvNI=; b=HxDW110CHG5zwLR9rgDSsooQGusqIAAmHD3SWVdLbuHz1amMTCcKQlYj+60YQb+XVr WfNRXBZn05zwoTaxyFYPR/t3mHbo9Qubr5KkkJEasDzZQ6oSWGRpuVvBpN5wfl1I0rJs KFM8RzmB0BiR+QCU7fVzUzN5F4JG7RDvfGwgpj5lIBMhfoMHLqvfHgd6gwanRLRubAYA vGQqlBrN2TnBPkvWwJwOfmcvtvWXSqlNAmdGr+uF7OP0htHww2/0q3xcAxIDH5ZsHd8U MJG+df7PD27lmWcu8hxH7MhvxNaOI38sy8Q/wZ4nkmmha/zuwK/y7Li25X650cXU0KYo 6zvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/I7yzMC7qP9VIw2LOsSuvBwnZ/4sgGTdVRpCB99LvNI=; b=D1qxFOrBjnRO3gAsinBT9/omSvHum0EFhV1U3JBHahgGGGd8+C/hFZdjNMapEFoGPC PZIduDahuxMdkCdzyzeFig80DGu9rfJhGdeDbN83+0Ne3JKYAA3jt4Brgmh8TOtWveQz xpFvZH5HxzC1xJvgCt+SO4PFbaDCHGlP05b39mOpZPZKJocyp8NIff+t36MZyp1xo1AO ZsSvp9pnjpKRo5PF/oblTzCwmYHmxs/3US7yEgWVPjaVH40Zhsb7yzKXU2Zw1ttwW2C7 QOIGX+2EGp797+7oxgDRMSF4FekHSWYacEtiWSA5zX2T6uBgUdJTav+lXtCLI1G7vCfB WG5g==
X-Gm-Message-State: APzg51Dlyhs0OCzFWDpQgX5evr5g5BUTXJ84o78K1jWNVfxQIwIpW0xY U13F4aSy6RaT/hohmu+1M3XO30/0EgzHMidpSHnpSp9ueQjoyw==
X-Google-Smtp-Source: ANB0VdYLt3NVdcdy0emmW5bY/jVHtd9s0Snmeeo7Q+SvFjf17HYDMOUNUZosVTNcZDE4COTz+SQRBQde3ArK/AY0Jk8=
X-Received: by 2002:a1f:8b8b:: with SMTP id n133-v6mr1555007vkd.60.1536265856006; Thu, 06 Sep 2018 13:30:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:718c:0:0:0:0:0 with HTTP; Thu, 6 Sep 2018 13:30:35 -0700 (PDT)
In-Reply-To: <AM0PR0302MB33452B06C6CBF1B04D613DF1CE010@AM0PR0302MB3345.eurprd03.prod.outlook.com>
References: <AM0PR0302MB33452B06C6CBF1B04D613DF1CE010@AM0PR0302MB3345.eurprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 06 Sep 2018 13:30:35 -0700
Message-ID: <CAAP42hC9f-7D4=WzVKnXu6KBsu-+piWLhPZYTip5Py2T5tdZ-A@mail.gmail.com>
To: Eestermans Dries <dries.eestermans@is4u.be>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a14563057539c44e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X917yLt0DvYOywvd9uPXxpTowJM>
Subject: Re: [OAUTH-WG] Remark on OAuth Device Flow Draft 12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 20:31:00 -0000
Hi Dries, Good question. The intent of the expired_token error message is to communicate to the device client that it should stop polling as the session has expired. The reason we defined the separate error message for just this case was so that clients could present an accurate message (i.e. that the polling should conclude due to the session expiring, but the user could try again). There is no requirement in the specification that this error be returned on all expired tokens, for example implementors could make the decision only to return expired_token for 5 minutes which would enable the above UI behavior, or to never return that code if they wanted. There is also no requirement to persist expired tokens, this logic is completely up to the server. I do think it's good behavior to persist the expired token for several minutes after expiry and to return the "expired_token" error code during that time, in order to help the client better serve the user, but after that time there isn't any value in returning that error code, and no need to persist the tokens just for that reason. Best, William On Wed, Sep 5, 2018 at 11:45 PM, Eestermans Dries <dries.eestermans@is4u.be> wrote: > Dear all, > > > > I’ve been implementing the device flow on my own client, and configuring > the server side as well. > > > > I have only one remark/question regarding https://tools.ietf.org/html/ > draft-ietf-oauth-device-flow-12#section-3.5 > <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-device-flow-12%23section-3.5&data=02%7C01%7Cdries.eestermans%40is4u.be%7C74679240d3964c3cb52008d613becd1f%7C49c3d703357947bfa8887c913fbdced9%7C0%7C0%7C636718107551704981&sdata=qyCoR%2BuFUd7%2FWVUXAxpCkP3W%2Fl1Jw2eq%2FkINYaC5B5g%3D&reserved=0> > : > > There’s several error codes defined, the one I’m questioning specifically > is: *expired_token*. When you return expired_token, don’t you > (implicitly) expose data about once-existing tokens? Wouldn’t a better > error definition be something like; invalid_token? That way the client > knows the code it’s using is invalid, without exposing any history of > actual expired tokens, and can conclude the session as intended. > > > > Furthermore, if expired tokens are a thing, should the server persist > expired tokens? If so, how long would they have to remain there? Wouldn’t > it be easier at this point to simply discard the tokens once it expires? > > > > Kind regards, > > > > Dries Eestermans > > >
- Re: [OAUTH-WG] Remark on OAuth Device Flow Draft … William Denniss