Re: [OAUTH-WG] survey: token revocation design options
Justin Richer <jricher@mitre.org> Tue, 17 August 2010 13:53 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A4473A687B for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 06:53:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.478
X-Spam-Level:
X-Spam-Status: No, score=-6.478 tagged_above=-999 required=5 tests=[AWL=0.121, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXcRDzH7-Z7P for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 06:53:12 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 2781E3A6855 for <oauth@ietf.org>; Tue, 17 Aug 2010 06:53:12 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o7HDrlFK009014 for <oauth@ietf.org>; Tue, 17 Aug 2010 09:53:47 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o7HDrkjG009007; Tue, 17 Aug 2010 09:53:46 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.2.254.0; Tue, 17 Aug 2010 09:53:46 -0400
From: Justin Richer <jricher@mitre.org>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <4C69A909.2060006@lodderstedt.net>
References: <4C69A909.2060006@lodderstedt.net>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 17 Aug 2010 09:53:46 -0400
Message-ID: <1282053226.12385.43.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 8bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] survey: token revocation design options
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 13:53:13 -0000
+2 ;)
I don't like the use of the DELETE method, it feels too much like
overloading the semantics of the HTTP definitions. And as you outline
below, there are a few obstacles on it to make it really workable
anyway.
Another option not laid out below is a parameter on the token endpoint
to suggest revocation and/or modification. However, with the new
language around grant_types and the like, this makes less sense than it
used to.
-- Justin
On Mon, 2010-08-16 at 17:09 -0400, Torsten Lodderstedt wrote:
> Hi all,
>
> I intend to submit a I-D for token revocation. Based on previous
> discussions on the mailing list and here at Deutsche Telekom, I see a
> couple of design options. I would like to share those options with the
> WG and try to reach consensus on a single option before investing the
> time to write the I-D.
>
> 1) HTTP Delete on tokens endpoint
>
> DELETE seems a natural way for revoking (deleting) tokens. Although the
> HTTP spec is a bit vaque in this concern, current practice prohibits a
> body for DELETE requests. So the token must be addressed by the
> request's URI. Lets assume the token is passed as URI query parameter as
> follows:
>
> DELETE /tokens?refresh_token=8xLOxBtZp8&&&# HTTP/1.1
> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>
> But is it advisable to pass tokens as URI query parameters? The current
> character set definition for access tokens (§5.1.1) is not URL-safe
> since it includes URI reserved characters (e.g. '/'). Additionally,
> there is no definition of a refresh tokens character set. So compliant
> authorization servers could issue tokens, which cannot be safely passed
> as URI query parameters.
>
> Note: As an additional challenge, self-contained tokens can be very
> large. So passing them as URI parameter may exceed URL length limits.
>
> I see the following alternatives to cope with the encoding problem:
>
> a) Force usage of a URL-safe character set for access and request tokens.
> - rather restrictive, will most likely collide with existing token formats
> - does not solve URL length problem
>
> b) Force base64-URL-safe encoding for all tokens on transit.
> - does not solve URL length problem
> - significant API change
>
> c) Authorization servers supporting revocation may additionally issue a
> URL-safe token id in the access token response. This id is used to
> reference the token in DELETE requests.
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
> {
> "access_token":"SlAV32hkKG/hhh/&%",
> "access_token_id":"234567890",
> "expires_in":3600,
> "refresh_token":"8xLOxBtZp8&&&#&",
> "refresh_token_id":"asdfghjklhgf"
> }
>
>
> DELETE /tokens?refresh_token_id=asdfghjklhgf HTTP/1.1
> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>
> Note: Since tokens become addressable resources on the authz server, one
> could also query or modify token data using a GET/PUT requests
>
> GET /tokens?refresh_token_id=asdfghjklhgf HTTP/1.1
> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
>
> {
> "scope":"abc",
> "issued_on":"08/11/2010",
> "last_usage":"08/13/2010"
> }
>
>
> 2) HTTP Post on dedicated revocation endpoint
>
> An additional endpoint is used to revoke tokens. The token to be revoked
> is sent as request body parameter.
>
> POST /revocation HTTP/1.1
> Host: server.example.com
> Content-Type: application/x-www-form-urlencoded
> Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
>
> refresh_token=n4E9O119d
>
> This option requires some support for the client to discover the
> revocation endpoint.
>
> Please indicate your prefered option (1a, 1b, 1c, and 2) or suggest
> additional design options.
>
> regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] survey: token revocation design options Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Igor Faynberg
- Re: [OAUTH-WG] survey: token revocation design op… Lukas Rosenstock
- Re: [OAUTH-WG] survey: token revocation design op… Justin Richer
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Igor Faynberg
- Re: [OAUTH-WG] survey: token revocation design op… Stefanie Dronia
- Re: [OAUTH-WG] survey: token revocation design op… Marius Scurtescu
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt
- Re: [OAUTH-WG] survey: token revocation design op… Torsten Lodderstedt