IETF Logo Mail Archive

Re: [OAUTH-WG] Access Token Response without expires_in

Paul Madsen <paul.madsen@gmail.com> Tue, 17 January 2012 17:56 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2AFE11E8071 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 09:56:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwc6p7w721jV for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 09:56:01 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB3621F8585 for <oauth@ietf.org>; Tue, 17 Jan 2012 09:56:00 -0800 (PST)
Received: by bkbzs2 with SMTP id zs2so160932bkb.31 for <oauth@ietf.org>; Tue, 17 Jan 2012 09:55:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=fuKifBYdyq0URGSUgkbsMfIYIj667f4Fo9O1QhHtM/8=; b=Fms1jKy4rjDISZfO48bcwYXfxk5oyLxC2DCdOtLty3ArRud7V966uAlzVKcaNJzJdh PkYOIX6ln8nOPPJ+L/thM8LY1DV1GYA28bpQOU0maMkpPR0hB7y8/+xwXLswEWOj7yZU oN671eHJ+rwEK2yYu+DMH6ii69NSJLvfJCK00=
Received: by 10.204.133.201 with SMTP id g9mr2980303bkt.137.1326822959630; Tue, 17 Jan 2012 09:55:59 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id ga13sm12238562bkc.5.2012.01.17.09.55.56 (version=SSLv3 cipher=OTHER); Tue, 17 Jan 2012 09:55:58 -0800 (PST)
Message-ID: <4F15B62A.5070001@gmail.com>
Date: Tue, 17 Jan 2012 12:55:54 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: William Mills <wmills@yahoo-inc.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <4F157659.7050701@gmail.com> <1326819620.50670.YahooMailNeo@web31804.mail.mud.yahoo.com>
In-Reply-To: <1326819620.50670.YahooMailNeo@web31804.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------010304000106050200030304"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 17:56:01 -0000

scope sometimes feels like SAML authncontext - anything can go in there :-)

as I said to Torsten, perhaps an extension is overkill. Just looking for 
a best practice

On 1/17/12 12:00 PM, William Mills wrote:
> Does this require an extension?  That seems something easy to overload 
> on scope.
>
> ------------------------------------------------------------------------
> *From:* Paul Madsen <paul.madsen@gmail.com>
> *To:* "Richer, Justin P." <jricher@mitre.org>
> *Cc:* OAuth WG <oauth@ietf.org>
> *Sent:* Tuesday, January 17, 2012 5:23 AM
> *Subject:* Re: [OAUTH-WG] Access Token Response without expires_in
>
> Separate from the question posed here, we are seeing customer demand 
> for one-time semantics, but agree with Justin that this would best 
> belong in a dedicated extension parameter and not the default
>
> paul
>
> On 1/16/12 10:29 PM, Richer, Justin P. wrote:
>> I think #3.
>>
>> #1 will be a common instance, and #2 (or its variant, a limited number of uses) is a different expiration pattern than time that would want to have its own expiration parameter name. I haven't seen enough concrete use of this pattern to warrant its own extension though.
>>
>> Which is why I vote #3 - it's a configuration issue. Perhaps we should rather say that the AS "SHOULD document the token behavior in the absence of this parameter, which may include the token not expiring until explicitly revoked, expiring after a set number of uses, or other expiration behavior." That's a lot of words here though.
>>
>>   -- Justin
>>
>> On Jan 16, 2012, at 1:53 PM, Eran Hammer wrote:
>>
>>> A question came up about the access token expiration when expires_in is not included in the response. This should probably be made clearer in the spec. The three options are:
>>>
>>> 1. Does not expire (but can be revoked)
>>> 2. Single use token
>>> 3. Defaults to whatever the authorization server decides and until revoked
>>>
>>> #3 is the assumed answer given the WG history. I'll note that in the spec, but wanted to make sure this is the explicit WG consensus.
>>>
>>> EHL
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org  <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email