Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
Justin Richer <jricher@mitre.org> Thu, 24 January 2013 14:17 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487A721F8A79 for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 06:17:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.498
X-Spam-Level:
X-Spam-Status: No, score=-6.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEKniqCoiXiz for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 06:17:19 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9F01821F8A56 for <oauth@ietf.org>; Thu, 24 Jan 2013 06:17:19 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0B06C1F22BE; Thu, 24 Jan 2013 09:17:19 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EC9301F22FA; Thu, 24 Jan 2013 09:17:18 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 24 Jan 2013 09:17:18 -0500
Message-ID: <5101425A.6080905@mitre.org>
Date: Thu, 24 Jan 2013 09:16:58 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
In-Reply-To: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2013 14:17:20 -0000
Not to jump in and answer for Torsten, but I thought I'd offer at least my understanding of the document: On 01/23/2013 06:54 PM, Anthony Nadalin wrote: > 1. Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found? It could be separate if your architecture can support that. It gets found the same way other OAuth endpoints get found -- configuration documents, some kind of discovery mechanism, or magic. Which is to say, that's not currently OAuth's problem. > 2. Any token type that is supported can be revoked, including refresh token ? That's the idea. We've implemented this on our OIDC server so that you can also revoke ID Tokens for session management purposes. > 3. Why does one have to send the token, can't this just be an auth_code ? You don't always use an auth code to get a token (think implicit, client credentials, assertion, or resource owner credentials flows), and auth codes are supposed to be thrown away after use anyway. > 4. Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS If they have issues, which is to say "A good reason not to", then they don't have to support it. That's the semantics behind "SHOULD", and so it is fine here. > 5. Does not say but is the revocation to be immediate upon the return of the request ? This is implementation dependent. Large scale distributed implementations could have trouble making this "immediate", but small systems are more likely to be quick. From the client's perspective, if they get back a success response, they shouldn't count on that token being good anymore (see section 2 note about client behavior). > 6. Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ? That's a policy decision. > 7. Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this. Why would a client want to use a token that they just revoked? This is prescribing the desired correct behavior to a client so that client developers will do the right thing when they implement it. Isn't that the point of the spec? -- Justin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Anthony Nadalin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Anthony Nadalin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Anthony Nadalin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Anthony Nadalin
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… William Mills
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Rev… Anthony Nadalin