Re: [OAUTH-WG] Another question on RFC 7009
Brian Campbell <bcampbell@pingidentity.com> Fri, 07 February 2014 20:00 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A9C1ADF34 for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 12:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.912
X-Spam-Level:
X-Spam-Status: No, score=-2.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZIPm4S8ym-4 for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 12:00:42 -0800 (PST)
Received: from na3sys009aog129.obsmtp.com (na3sys009aog129.obsmtp.com [74.125.149.142]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9A81ADEA6 for <oauth@ietf.org>; Fri, 7 Feb 2014 12:00:35 -0800 (PST)
Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na3sys009aob129.postini.com ([74.125.148.12]) with SMTP ID DSNKUvU7Y/54ESTzhUKQLKl0Hj3ntc3myXmJ@postini.com; Fri, 07 Feb 2014 12:00:35 PST
Received: by mail-ig0-f171.google.com with SMTP id uy17so2560804igb.4 for <oauth@ietf.org>; Fri, 07 Feb 2014 12:00:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=swgAaSwYz16nzBwBQo2S7EVRIHJvMcHbxlicEIT+p2c=; b=JEtlwL97uvMpCbMv5H6Sr3grzTnPOAvGN8Jlahkd/YmuSV8mWlCxxSdynLNe4o877l WpDt39K74ORed+uwlU9yLayu5Z+V1fumWFbj6OEqwhK7iB/b8S/81t1mU4IRfIHu9UZ3 XUv4+BWqKe+0sb89s67ngirBmE+JZh08huh5PDVIWPdUT1uivdBP6Sb94ALRG6o0nhQT MHBHVr8mDQDTz4xg+PRDvVdSsfOJpK6G+VpJCN8hpXfL/McCiUjs9TjtdKzdCmjxtfXp WQnS0xFjw4VQRqiafPSOalHtf5GHDHK3J8h+Anyp51xPfoAiLWGoMSV1wKCp7qHGsUBE syNg==
X-Gm-Message-State: ALoCoQmCGU5FwX/tuLYR/4d+mGaoiisXyptpw0mwpTrJ2f58tK1Rfg5WSDjDQZ6AXqwPpSzL6Obr21lg5Qe32PB7/AuajizwJDFs1WWLNcx5KVSvb00BmOito+/XN3YElqTI04X4JWgcO7P4l2rqSZ41e5uCJCkB6A==
X-Received: by 10.43.74.198 with SMTP id yx6mr5210371icb.40.1391803234941; Fri, 07 Feb 2014 12:00:34 -0800 (PST)
X-Received: by 10.43.74.198 with SMTP id yx6mr5210345icb.40.1391803234596; Fri, 07 Feb 2014 12:00:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.65.4 with HTTP; Fri, 7 Feb 2014 12:00:04 -0800 (PST)
In-Reply-To: <52F53A4A.7090600@aol.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com> <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com> <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com> <CA+k3eCR-7x1cb_h-mWqWVr66w+gUe7trNjX4JAHGNDcNbfubag@mail.gmail.com> <52F53A4A.7090600@aol.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 07 Feb 2014 13:00:04 -0700
Message-ID: <CA+k3eCQCMs_zTV8wp7W4od8ZgSO78OSYAy6ia9bkkaVW0y2FhA@mail.gmail.com>
To: George Fletcher <gffletch@aol.com>
Content-Type: multipart/related; boundary="001a11c3923e66ff1304f1d67115"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 20:00:45 -0000
I agree it could clarified. But it's also what should be a vary rare erroneous condition so there's not really an interoperability concern with the ambiguity that's there now. On Fri, Feb 7, 2014 at 12:55 PM, George Fletcher <gffletch@aol.com> wrote: > +1 for this solution > > Is this something that could be clarified in errata as it appears we have > three different providers with three different solutions:) > > Thanks, > George > > On 2/7/14 2:43 PM, Brian Campbell wrote: > > Thanks, Todd and Thomas, for the responses. After some internal debate, I > think we are going to treat it as an invalid token (which it is in that > context) and return a 200. > > > On Fri, Jan 31, 2014 at 11:19 AM, Thomas Broyer <t.broyer@gmail.com>wrote: > >> FWIW, we return unauthorized_client. >> Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainhart@us.ibm.com> a écrit >> : >> >> > ...what's the intended way that the "request is refused and the >>> client is informed of the error" when the the token was not issued to the >>> client making the revocation request? >>> >>> We return an error_code of "invalid_request" and an appropriate error >>> message. >>> >>> >>> >>> >>> >>> >>> >>> * Todd Lainhart Rational software IBM Corporation 550 King Street, >>> Littleton, MA 01460-1250* >>> >>> >>> * 1-978-899-4705 <1-978-899-4705> 2-276-4705 (T/L) lainhart@us.ibm.com >>> <lainhart@us.ibm.com>* >>> >>> >>> >>> >>> From: Brian Campbell <bcampbell@pingidentity.com> >>> To: oauth <oauth@ietf.org>, >>> Date: 01/31/2014 11:58 AM >>> Subject: [OAUTH-WG] Another question on RFC 7009 >>> Sent by: "OAuth" <oauth-bounces@ietf.org> >>> ------------------------------ >>> >>> >>> >>> Greetings WG, >>> >>> In section 2.1 of RFC 7009, it says: >>> >>> "The authorization server first validates the client credentials (in >>> case of a confidential client) and then verifies whether the token >>> was issued to the client making the revocation request. If this >>> validation fails, the request is refused and the client is informed >>> of the error by the authorization server as described below." >>> >>> The only error described below is "unsupported_token_type" which doesn't >>> seem appropriate here. The errors in >>> *http://tools.ietf.org/html/rfc6749#section-5.2*<http://tools.ietf.org/html/rfc6749#section-5.2>are referenced too and, while "invalid_client" seems right for failed >>> client authentication, what's the intended way that the "request is refused >>> and the client is informed of the error" when the the token was not issued >>> to the client making the revocation request? None of the defined error >>> codes seem to fit. >>> >>> Furthermore, wouldn't it be better to go ahead and just revoke a token >>> in the case it's presented by the wrong client? I seem to recall some >>> discussion around this when 7009 was just a baby >>> draft-ietf-oauth-revocation and, while I don't recall the outcome, I was >>> surprised to look at the RFC again and see the text that is there. >>> >>> These questions came to me by way of a developer working on implementing >>> the RFC. I didn't have good answers, beyond the prognostication herein, so >>> I thought I'd take the questions to the WG list and the document authors. >>> >>> Thanks for any clarification, >>> Brian >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > -- > [image: George Fletcher] <http://connect.me/gffletch> >
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell