Re: [OAUTH-WG] Another question on RFC 7009
Todd W Lainhart <lainhart@us.ibm.com> Fri, 31 January 2014 17:06 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5051A1F4A for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 09:06:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.435
X-Spam-Level:
X-Spam-Status: No, score=-7.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5_jGQ5iDiO7 for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 09:06:29 -0800 (PST)
Received: from e7.ny.us.ibm.com (e7.ny.us.ibm.com [32.97.182.137]) by ietfa.amsl.com (Postfix) with ESMTP id E3F381A0459 for <oauth@ietf.org>; Fri, 31 Jan 2014 09:06:28 -0800 (PST)
Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Fri, 31 Jan 2014 12:06:25 -0500
Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 31 Jan 2014 12:06:23 -0500
Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 5EDF938C8027; Fri, 31 Jan 2014 12:06:23 -0500 (EST)
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by b01cxnp22033.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s0VH6N1a6881654; Fri, 31 Jan 2014 17:06:23 GMT
Received: from d01av04.pok.ibm.com (localhost [127.0.0.1]) by d01av04.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s0VH6M0C019380; Fri, 31 Jan 2014 12:06:22 -0500
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av04.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s0VH6LVJ019124; Fri, 31 Jan 2014 12:06:21 -0500
In-Reply-To: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
MIME-Version: 1.0
X-KeepSent: DA940505:5D93BC11-85257C71:005DCB58; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP5 August 01, 2013
Message-ID: <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Fri, 31 Jan 2014 12:06:17 -0500
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 9.0.1IF1|November 26, 2013) at 01/31/2014 12:06:21, Serialize complete at 01/31/2014 12:06:21
Content-Type: multipart/alternative; boundary="=_alternative 005DF5C285257C71_="
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14013117-5806-0000-0000-0000240764AE
Cc: oauth <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 17:06:31 -0000
> ...what's the intended way that the "request is refused and the client is informed of the error" when the the token was not issued to the client making the revocation request? We return an error_code of "invalid_request" and an appropriate error message. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com From: Brian Campbell <bcampbell@pingidentity.com> To: oauth <oauth@ietf.org>, Date: 01/31/2014 11:58 AM Subject: [OAUTH-WG] Another question on RFC 7009 Sent by: "OAuth" <oauth-bounces@ietf.org> Greetings WG, In section 2.1 of RFC 7009, it says: "The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below." The only error described below is "unsupported_token_type" which doesn't seem appropriate here. The errors in http://tools.ietf.org/html/rfc6749#section-5.2 are referenced too and, while "invalid_client" seems right for failed client authentication, what's the intended way that the "request is refused and the client is informed of the error" when the the token was not issued to the client making the revocation request? None of the defined error codes seem to fit. Furthermore, wouldn't it be better to go ahead and just revoke a token in the case it's presented by the wrong client? I seem to recall some discussion around this when 7009 was just a baby draft-ietf-oauth-revocation and, while I don't recall the outcome, I was surprised to look at the RFC again and see the text that is there. These questions came to me by way of a developer working on implementing the RFC. I didn't have good answers, beyond the prognostication herein, so I thought I'd take the questions to the WG list and the document authors. Thanks for any clarification, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell