IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)

Warren Parad <wparad@rhosys.ch> Thu, 02 September 2021 06:42 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EB7D3A0C0A for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 23:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3IoLmWfUc1Z for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 23:41:59 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D6E93A0C06 for <oauth@ietf.org>; Wed, 1 Sep 2021 23:41:59 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id c6so1801099ybm.10 for <oauth@ietf.org>; Wed, 01 Sep 2021 23:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j6eSpQBj4cMUb2mCctxlzO1gNkwP1OTXSJOzlshhEVs=; b=WwBRJX4X7aFR7XaixRebr7w8NVYXULyoJPvkLAM+W3oY0yGLm0rzKrscsFMZP9G2fy KLxfp4uSm1v44GwLfeNno0ftajbkkUqac6WOLkhdHUvCnF1o0sHEGn78aIypcj10FGzk cRJYCQ+ERnL9vQL6fyg+Olw9L5OZ13vSRn+wTlNJKxWydeGVlY+nROH5BvIGQOhbeBon m+cCJnj4nc0Psq56IO1OD7/h1YWUWPzYAF5bW3m+f3VzTZVgpZb1bK5df0LApJLNzLNa nc+g4higbAmC0eqaiT5mbJlFNMbqWgnepll5ADLh5MYUexn46yi1WGo1lmoWVVm9zj9J Y+8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j6eSpQBj4cMUb2mCctxlzO1gNkwP1OTXSJOzlshhEVs=; b=WBaLoJ4QpmN2za+9IJ/tsggsAt8FGLB2A9E4ub1ZKvoy6XvWOowcCdyaZeBvilD8MO aA4iit5CAt9xGVffUDE4HHlFeILG6+7WG+vGR9UbRU33ghJuseT6HAuYU3vjv9r2/6ES CvtdQ9wTzMOrf68Fzwg757a0TOHThRZuk5LL+PZUGAYIMfgXNnWbZmcu2JAsY//D0X0J EmnZ4fLhEDEcCamRODN3x6kaDcZ+yzbLRXwLgeybU5FpHpwdI+dipskhQzTVoXt4FxhX vbAxECFPaaY8xdQcsSe3tMlcDPk4xUgedoAz+KYCn8vvwTCmzDnHa+77IGuNNZjA2KZ1 iZWw==
X-Gm-Message-State: AOAM533dSfWTwveJmZ5PMnAgtcUo8o9FsULsi36P97uQWBtQ6NVh2k2G 5xgXIpDxhN1WZem2msEx6p+lU7H6NPumPljs6dcm
X-Google-Smtp-Source: ABdhPJxznBBJ+zFvDYxfWisvQptX2LBMEq4qXWZnowGwcOZ+1hbuiA0ZYidbvypa1eWBhjPr3QxoX3gwWSC/e2MIrqQ=
X-Received: by 2002:a25:b948:: with SMTP id s8mr2410401ybm.281.1630564916905; Wed, 01 Sep 2021 23:41:56 -0700 (PDT)
MIME-Version: 1.0
References: <20210822091434.93EFCF40723@rfc-editor.org> <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu> <CAEayHEP1Jg-WPo-4B5k5JVA_zDOL7m1tWq9q2yWSS_deRcP6Fw@mail.gmail.com> <CAFvbn=Zsh87pxNr_uXiOBOQ__ZJrqGPrkyOJbY5h1WLGzkemqA@mail.gmail.com>
In-Reply-To: <CAFvbn=Zsh87pxNr_uXiOBOQ__ZJrqGPrkyOJbY5h1WLGzkemqA@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 02 Sep 2021 08:41:46 +0200
Message-ID: <CAJot-L0svK5tQ=ExTOYDybX-8zLC4omjKc6ggFcO8wUExA-5og@mail.gmail.com>
To: Ash Narayanan <ashvinnarayanan@gmail.com>
Cc: Thomas Broyer <t.broyer@gmail.com>, sdronia@gmx.de, IETF oauth WG <oauth@ietf.org>, mscurtescu@google.com
Content-Type: multipart/alternative; boundary="000000000000a7dd4305cafd7a7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_fPf3_Ekpo-FhABaTXY3vTDkp2c>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 06:42:05 -0000

What's the point in passing arbitrary other information that is already
known by the AS and does not provide the level of security necessary to
prevent abuse of the revocation endpoint?

On Thu, Sep 2, 2021, 01:12 Ash Narayanan <ashvinnarayanan@gmail.com> wrote:

> Hi Thomas,
>
> The approach you've suggested sounds good. Passing just the client_id
> along with the token and type (regardless of client type) would be
> consistent with how refresh_token requests are structured. As long as the
> new RFC obsoletes this one.
>
> Ash
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email