IETF Logo Mail Archive

Re: [OAUTH-WG] Access token timeout

Justin Richer <jricher@mitre.org> Tue, 21 August 2012 14:39 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3217221F8671 for <oauth@ietfa.amsl.com>; Tue, 21 Aug 2012 07:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.581
X-Spam-Level:
X-Spam-Status: No, score=-6.581 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKU+cDq1x9A9 for <oauth@ietfa.amsl.com>; Tue, 21 Aug 2012 07:39:45 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id CB9A521F8679 for <oauth@ietf.org>; Tue, 21 Aug 2012 07:39:44 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id EDD2F21B15BB; Tue, 21 Aug 2012 10:39:43 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C164A21B15B4; Tue, 21 Aug 2012 10:39:43 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.309.2; Tue, 21 Aug 2012 10:39:43 -0400
Message-ID: <50339D54.9080406@mitre.org>
Date: Tue, 21 Aug 2012 10:38:12 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Guangqing Deng <dgq2011@gmail.com>
References: <CAP279Lxk5+=2B3cFLzS=teRYu2qWbg9Ny263pfDpBRueC7pF+A@mail.gmail.com> <1345397735.4226.YahooMailNeo@web31809.mail.mud.yahoo.com> <8E82B87D-B819-462A-8546-6E20CA3B48CA@ve7jtb.com> <CAL4OH3SJKDCdLwhD2vksEh5Sd+0xEyiJrX+EyYnPJQUAeU5eXA@mail.gmail.com>
In-Reply-To: <CAL4OH3SJKDCdLwhD2vksEh5Sd+0xEyiJrX+EyYnPJQUAeU5eXA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020407040304040409040206"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>, Jérôme LELEU <leleuj@gmail.com>
Subject: Re: [OAUTH-WG] Access token timeout
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2012 14:39:48 -0000

First, note that the "expires_in" field is never communicated to the 
Resource Server. It really is only just a hint to the Client. The Client 
has no way of even communicating this hint to the Resource Server within 
the bounds of OAuth.

Second, the connection between Resource Server and Authorization Server 
is explicitly undefined in OAuth. There are four common approaches here:
   1) Bake the RS and AS into a single box. This is the most common 
deployment on the web outside of the really big players like Google, 
AOL, and the like. This is the setup that you'll get out of the box from 
most libraries as well. In this case, the AS drops the token into a 
database and the RS can simply look it up in the same database to see if 
it's still good. When the AS wants to revoke a token, delete it from the 
data store and the RS can no longer find/validate it.
   2) Use a structured token (like JWT or SAML) to bake the expiration 
and other parameters into the token itself. The RS can then validate the 
token using a signature of some kind and look at fields within the token 
like "exp".
   3) Use token introspection style approaches to let the RS make a 
backchannel callback to the AS to see if the token's still good. There 
are a couple drafts floating around the WG with how to do that, and I 
think (and hope) we'll see that standardized. I just haven't seen any 
traction on it yet.
   4) Use a full-featured permissions protocol like UMA. This lets you 
even dynamically provision the RS at the AS and get extended sets of 
permissions attached to a token.

The "expires_in" field comes in to play in exactly none of these cases.

Hope this helps,
  -- Justin

On 08/21/2012 03:14 AM, Guangqing Deng wrote:
>
> Since both the "Client" and "Resource Server" don't know the exact 
> creation time (namely the time the response was generated on 
> "Authorization Server", just as mentioned in part 5.1 of OAUTH 2.0) of 
> an access token, the exact expiration time of an access token can't be 
> directly obtained by "Client" and "Resource Server" in the presence of 
> "expires_in". Usually, it doesn't matter to the "client", for a hint 
> of when the token will probably expire is enough; however, the 
> "Resource Server" must know the exact expiration time of an access 
> token and another scheme to obtain that time is needed. So why not 
> directly send the exact expiration time of an access token?
>
>
>
> 2012/8/20 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>
>     A token can always expire in less than that time.
>
>     I have seen deployments that use sliding windows and single use
>     access tokens.   In those cases the "expires_in" is sent as a Max
>     time before the token will expire.
>
>     A client always needs to be prepared that a token will have been
>     revoked or expired and fall back to using the refresh token, or
>     reauthorize.
>
>     John B.
>
>     On 2012-08-19, at 1:35 PM, William Mills wrote:
>
>>     It's a hint to the client of when the token will probably expire.
>>      There was a lot of discussion on what the right way to go was
>>     and there were several "camps" on the right strategy choice would
>>     be, but in the end a very simple solution was chosen.  Most folks
>>     agreed that having more than one way to go was not worth the
>>     complexity, so this single one was picked.
>>
>>     ------------------------------------------------------------------------
>>     *From:* Jérôme LELEU <leleuj@gmail.com <mailto:leleuj@gmail.com>>
>>     *To:* oauth@ietf.org <mailto:oauth@ietf.org>
>>     *Sent:* Sunday, August 19, 2012 1:25 AM
>>     *Subject:* [OAUTH-WG] Access token timeout
>>
>>     Hi,
>>
>>     I might be misunderstanding the OAuth 2.0 spec (part 5.1,
>>     "expires_in" property), but I understand that the timeout of the
>>     access token is a hard one (amount of time between creation and
>>     expiration).
>>
>>     Am I right ?
>>
>>     Can we have a multiple use timeout ? A sliding window timeout ?
>>     Or a combination of all ?
>>
>>     Thanks.
>>     Best regards,
>>     Jérôme
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> -- 
> Guangqing Deng
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email