[OAUTH-WG] Another question on RFC 7009
Brian Campbell <bcampbell@pingidentity.com> Fri, 31 January 2014 16:58 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5321A1F7B for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 08:58:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.912
X-Spam-Level:
X-Spam-Status: No, score=-2.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47AqdKh1bH_0 for <oauth@ietfa.amsl.com>; Fri, 31 Jan 2014 08:58:49 -0800 (PST)
Received: from na3sys009aog127.obsmtp.com (na3sys009aog127.obsmtp.com [74.125.149.107]) by ietfa.amsl.com (Postfix) with ESMTP id 699A11A1F65 for <oauth@ietf.org>; Fri, 31 Jan 2014 08:58:47 -0800 (PST)
Received: from mail-ig0-f179.google.com ([209.85.213.179]) (using TLSv1) by na3sys009aob127.postini.com ([74.125.148.12]) with SMTP ID DSNKUuvWQXd8cSt+pHnapVvbtrIjgWETjMr+@postini.com; Fri, 31 Jan 2014 08:58:44 PST
Received: by mail-ig0-f179.google.com with SMTP id c10so9870324igq.0 for <oauth@ietf.org>; Fri, 31 Jan 2014 08:58:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=xSDmWxFOX5EvkDyGUduv3L3OiOO+HseCvdOOGHqfcGU=; b=BvBjk9QHuygX+ZYCHkDxZkpew5It6+W/jP5p5IxvW5+L2HohW5dIPE2Pk9m0CsS8Wh SJRGFqmz9tYDOx3nKjqW1XeTa+YTDNmYXKM1XFKAXPpaoD2iRt7GRBXAMPLic8U7Omme be1jyJF30XuPWBiSeX8cuyjQubGVu4nQtF92kM4huDZrw/+m1HCSqlUIKEQsHph8lTI6 dsya99iSkzTAeYCCBlyy6JGaZLv+rbDG09EZRm+db2qCpPuMOimA4gv4/g1gW6nbX8Zc Lrl/5p3bFymLhlbm53ebHUMzMZre9+VBa+xcYFfNE2SsCnJBLq9QNj4+r8Z8xWvjECV0 dJ9A==
X-Gm-Message-State: ALoCoQkToT/d9Y3dWhoMmQ2nRj2krF5F8UyqQae8qR5cZdRQMPawU+dCJc8KNTLcVi3GWFldHFubHXTyatw6ONjp848xOhx3ZSuAA4lSOhQ4QQPTtKjvjviD9IZqtsCZ3jNyIag1au9VoCGSjpP4C/rwvybK1Eah7g==
X-Received: by 10.50.194.131 with SMTP id hw3mr20933845igc.4.1391187512171; Fri, 31 Jan 2014 08:58:32 -0800 (PST)
X-Received: by 10.50.194.131 with SMTP id hw3mr20933834igc.4.1391187512089; Fri, 31 Jan 2014 08:58:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.65.4 with HTTP; Fri, 31 Jan 2014 08:58:01 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 Jan 2014 09:58:01 -0700
Message-ID: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="14dae9340f7979886204f1471580"
Subject: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 16:58:51 -0000
Greetings WG, In section 2.1 of RFC 7009, it says: "The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below." The only error described below is "unsupported_token_type" which doesn't seem appropriate here. The errors in http://tools.ietf.org/html/rfc6749#section-5.2 are referenced too and, while "invalid_client" seems right for failed client authentication, what's the intended way that the "request is refused and the client is informed of the error" when the the token was not issued to the client making the revocation request? None of the defined error codes seem to fit. Furthermore, wouldn't it be better to go ahead and just revoke a token in the case it's presented by the wrong client? I seem to recall some discussion around this when 7009 was just a baby draft-ietf-oauth-revocation and, while I don't recall the outcome, I was surprised to look at the RFC again and see the text that is there. These questions came to me by way of a developer working on implementing the RFC. I didn't have good answers, beyond the prognostication herein, so I thought I'd take the questions to the WG list and the document authors. Thanks for any clarification, Brian
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell