IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Justin Richer <jricher@mitre.org> Thu, 24 January 2013 14:17 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487A721F8A79 for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 06:17:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.498
X-Spam-Level:
X-Spam-Status: No, score=-6.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEKniqCoiXiz for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 06:17:19 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9F01821F8A56 for <oauth@ietf.org>; Thu, 24 Jan 2013 06:17:19 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0B06C1F22BE; Thu, 24 Jan 2013 09:17:19 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EC9301F22FA; Thu, 24 Jan 2013 09:17:18 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 24 Jan 2013 09:17:18 -0500
Message-ID: <5101425A.6080905@mitre.org>
Date: Thu, 24 Jan 2013 09:16:58 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
In-Reply-To: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2013 14:17:20 -0000

Not to jump in and answer for Torsten, but I thought I'd  offer at least 
my understanding of the document:

On 01/23/2013 06:54 PM, Anthony Nadalin wrote:
> 1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?
It could be separate if your architecture can support that. It gets 
found the same way other OAuth endpoints get found -- configuration 
documents, some kind of discovery mechanism, or magic. Which is to say, 
that's not currently OAuth's problem.

> 2.       Any token type that is supported can be revoked, including refresh token ?
That's the idea. We've implemented this on our OIDC server so that you 
can also revoke ID Tokens for session management purposes.

> 3.       Why does one have to send the token, can't this just be an auth_code ?
You don't always use an auth code to get a token (think implicit, client 
credentials, assertion, or resource owner credentials flows), and auth 
codes are supposed to be thrown away after use anyway.

> 4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS
If they have issues, which is to say "A good reason not to", then they 
don't have to support it. That's the semantics behind "SHOULD", and so 
it is fine here.

> 5.       Does not say but is the revocation to be immediate upon the return of the request ?
This is implementation dependent. Large scale distributed 
implementations could have trouble making this "immediate", but small 
systems are more likely to be quick. From the client's perspective, if 
they get back a success response, they shouldn't count on that token 
being good anymore (see section 2 note about client behavior).

> 6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?
That's a policy decision.

> 7.       Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.
Why would a client want to use a token that they just revoked? This is 
prescribing the desired correct behavior to a client so that client 
developers will do the right thing when they implement it. Isn't that 
the point of the spec?

  -- Justin

v2.23.0 | Report a Bug | By Email