IETF Logo Mail Archive

Re: [OAUTH-WG] Another question on RFC 7009

Todd W Lainhart <lainhart@us.ibm.com> Fri, 31 January 2014 17:06 UTC

Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5051A1F4A for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 09:06:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.435
X-Spam-Level:
X-Spam-Status: No, score=-7.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5_jGQ5iDiO7 for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 09:06:29 -0800 (PST)
Received: from e7.ny.us.ibm.com (e7.ny.us.ibm.com [32.97.182.137]) by ietfa.amsl.com (Postfix) with ESMTP id E3F381A0459 for <oauth@ietf.org>; Fri, 31 Jan 2014 09:06:28 -0800 (PST)
Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Fri, 31 Jan 2014 12:06:25 -0500
Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 31 Jan 2014 12:06:23 -0500
Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 5EDF938C8027; Fri, 31 Jan 2014 12:06:23 -0500 (EST)
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by b01cxnp22033.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s0VH6N1a6881654; Fri, 31 Jan 2014 17:06:23 GMT
Received: from d01av04.pok.ibm.com (localhost [127.0.0.1]) by d01av04.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s0VH6M0C019380; Fri, 31 Jan 2014 12:06:22 -0500
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av04.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s0VH6LVJ019124; Fri, 31 Jan 2014 12:06:21 -0500
In-Reply-To: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
MIME-Version: 1.0
X-KeepSent: DA940505:5D93BC11-85257C71:005DCB58; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP5 August 01, 2013
Message-ID: <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Fri, 31 Jan 2014 12:06:17 -0500
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 9.0.1IF1|November 26, 2013) at 01/31/2014 12:06:21, Serialize complete at 01/31/2014 12:06:21
Content-Type: multipart/alternative; boundary="=_alternative 005DF5C285257C71_="
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14013117-5806-0000-0000-0000240764AE
Cc: oauth <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 17:06:31 -0000

> ...what's the intended way that the "request is refused and the client 
is informed of the error" when the the token was not issued to the client 
making the revocation request?

We return an error_code of "invalid_request" and an appropriate error 
message.





Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart@us.ibm.com




From:   Brian Campbell <bcampbell@pingidentity.com>
To:     oauth <oauth@ietf.org>, 
Date:   01/31/2014 11:58 AM
Subject:        [OAUTH-WG] Another question on RFC 7009
Sent by:        "OAuth" <oauth-bounces@ietf.org>



Greetings WG,

In section 2.1 of RFC 7009, it says:

   "The authorization server first validates the client credentials (in
   case of a confidential client) and then verifies whether the token
   was issued to the client making the revocation request.  If this
   validation fails, the request is refused and the client is informed
   of the error by the authorization server as described below."

The only error described below is "unsupported_token_type" which doesn't 
seem appropriate here. The errors in 
http://tools.ietf.org/html/rfc6749#section-5.2 are referenced too and, 
while "invalid_client" seems right for failed client authentication, 
what's the intended way that the "request is refused and the client is 
informed of the error" when the the token was not issued to the client 
making the revocation request? None of the defined error codes seem to 
fit.

Furthermore, wouldn't it be better to go ahead and just revoke a token in 
the case it's presented by the wrong client? I seem to recall some 
discussion around this when 7009 was just a baby 
draft-ietf-oauth-revocation and, while I don't recall the outcome, I was 
surprised to look at the RFC again and see the text that is there.

These questions came to me by way of a developer working on implementing 
the RFC. I didn't have good answers, beyond the prognostication herein, so 
I thought I'd take the questions to the WG list and the document authors.

Thanks for any clarification,
Brian

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email