Re: [OAUTH-WG] Single transaction token
William Mills <wmills@yahoo-inc.com> Wed, 09 November 2011 04:48 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A15711E80E3 for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 20:48:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.362
X-Spam-Level:
X-Spam-Status: No, score=-17.362 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgkLwTYrS0r6 for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 20:48:41 -0800 (PST)
Received: from nm11.bullet.mail.ac4.yahoo.com (nm11.bullet.mail.ac4.yahoo.com [98.139.52.208]) by ietfa.amsl.com (Postfix) with SMTP id 1432E11E8096 for <oauth@ietf.org>; Tue, 8 Nov 2011 20:48:40 -0800 (PST)
Received: from [98.139.52.194] by nm11.bullet.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000
Received: from [98.139.52.163] by tm7.bullet.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000
Received: from [127.0.0.1] by omp1046.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 156227.34086.bm@omp1046.mail.ac4.yahoo.com
Received: (qmail 82817 invoked by uid 60001); 9 Nov 2011 04:48:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320814116; bh=2TOyMb5jg9duYWy+6GWP0fSWCHFkQjosfMBlA1KtLMI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Ldotyvdp5PWPny5rcN0u/Rp7k5UsOBcPjsQqrF6rzwekwWSfnyWc5KuYJU/ieLhQafZPnedX2mlGQJtcioTTZAbh+vmV1fRVOKh4icToQJ1G5aZWLi4dkWrA5uXbe5e1QUjBA1+r1eD4BESL0pV9n79gO6Do8xf3PK2779sySBE=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=qStn6jKnZYFapi14p6EDAIxfzphOitrCba2/XcypmkdP8BWXR3MdHCGXVNIOm9UE4fWvp2jrDB7YiqgHLpz/MRNO9zREZVa1qSMV/NPlujD4OD6A14xYSh/HHh/UnEa54DDXb9u+NfNhGLxegivC+3q4HFUys+4Psm7UldbyaMg=;
X-YMail-OSG: z3EftnYVM1nRJBcmq8uOn11wUvTQrkFm4.E5MO8pg7eaOJH Hb8EE_KWs9gpvnSoHPidDfPgICmoahlD.pTIM_u6KStEb7DJrNJE.TK1mVRW LF_MghDmfDwvB4IUFkeu9uBhs05YKWTlj2dkWu.Rp5Gq8IGgdbSjgAshEGfZ 4A5_oNeEsUO6ud3aT9Qj3UUe0abHSxfSQogUVnwYfJp7P2HKbT_JL2pySjwp hsf_NBVrwJoT9ZAArxlltUfA3uF8.BDDohwWMUCuESDgwXDkyFHwdt0Zb04H xFAQCyE0m0GNqeRh2wHRS1vyEXIYzq770wP3mTNoRuVZHOFWiVAnQymsX6zE 8OnuqDtu0oQT.IQ.2oQi3DZnFdkqLJcgQeJOxIp9jFbVYPkPPeJLzFypb1vH u3mXZtoZs3lRJXBB590urep9TWwS5bdjHqZJjW3pztQ--
Received: from [209.131.62.115] by web31806.mail.mud.yahoo.com via HTTP; Tue, 08 Nov 2011 20:48:36 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.325013
References: <C1468D5F-052D-4D14-919E-A0465156A780@semantico.com> <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com> <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com>
Message-ID: <1320814116.69891.YahooMailNeo@web31806.mail.mud.yahoo.com>
Date: Tue, 08 Nov 2011 20:48:36 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Declan Newman <declan.newman@semantico.com>
In-Reply-To: <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1055047407-1803035394-1320814116=:69891"
Cc: Will Simpson <will.simpson@semantico.com>, Geoffrey Bilder <gbilder@crossref.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Single transaction token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 04:48:42 -0000
Nothing here is at all in variance with the OAuth 2 spec. Everything you're talkign abotu fits nicely into the "put your own application data into an opaque token. ________________________________ From: Declan Newman <declan.newman@semantico.com> To: William Mills <wmills@yahoo-inc.com> Cc: oauth@ietf.org; Geoffrey Bilder <gbilder@crossref.org>; Will Simpson <will.simpson@semantico.com> Sent: Tuesday, November 8, 2011 2:36 PM Subject: Re: [OAUTH-WG] Single transaction token Thanks very much for for your thoughts. With your comments in mind, our current thinking is that the initial requests' scope will determine the access token's life. If a 'write scope' is requested, a write-lock is placed on the corresponding record and the token is valid for one write operation (with a short expires_in), after which the write-lock is released and the token's expires timestamp is set to a time in the past, allowing the caller to use a refresh token to resume read-only operations using newly created access token. In this scenario, the "expires_in" value will be used to revoke the access token, rather than an explicit delete. I'd be really interested in getting peoples views on how this adheres to the the current OAuth 2 specification. Thanks again, Dec On 8 Nov 2011, at 15:35, William Mills wrote: The problem is that the token has no state about the transaction. Is the transaction already determined when the token is issued? If so then put the transaction dat ain the token and make it non-repeatable. > > >If this is an auth token for an arbitrary single action you have to put some form of replay protection on the protected resource, or you can immediately revoke the token after use against a revocation API and make sure the RP is checking for revoked tokens against the same API/endpoint. You do have a race here, so you have to sort out what you'll make synchronous calls against for this. > > >Regards, > > >-bill > > > > >________________________________ >From: Declan Newman <declan.newman@semantico.com> >To: oauth@ietf.org >Cc: Will Simpson <will.simpson@semantico.com>; Geoffrey Bilder <gbilder@crossref.org> >Sent: Tuesday, November 8, 2011 1:58 AM >Subject: [OAUTH-WG] Single transaction token > > >Hello, > > >We're currently implementing OAuth 2 provider for a client, whom needs to have the facility to authenticate/authorise a client to update in a single transaction. > > >Is there a way to specify the validity of a token on a per-transaction basis, as opposed to a timeframe? > > >Any help much appreciated. > > >Regards, > > >Dec > > >---------------------------------------------------------------------------- >Declan Newman, Development Team Leader, >Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE ><mailto:Declan.Newman@semantico.com> ><tel:+44-1273-358247> > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > > ---------------------------------------------------------------------------- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE <mailto:Declan.Newman@semantico.com> <tel:+44-1273-358247>
- [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token Eran Hammer-Lahav
- Re: [OAUTH-WG] Single transaction token William Mills
- Re: [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token William Mills