Re: [OAUTH-WG] Refresh Tokens
Aiden Bell <aiden449@gmail.com> Fri, 12 August 2011 16:05 UTC
Return-Path: <aiden449@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC77E21F873D for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 09:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.428
X-Spam-Level:
X-Spam-Status: No, score=-2.428 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6UFhzI0+3Mu for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 09:05:33 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id BBFBA21F8853 for <oauth@ietf.org>; Fri, 12 Aug 2011 09:05:06 -0700 (PDT)
Received: by qwc23 with SMTP id 23so2137795qwc.31 for <oauth@ietf.org>; Fri, 12 Aug 2011 09:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hrWk9gVir8Ad5spfjPlHcizg96DN4qbPovXYz+rDDlU=; b=QNn/KrD64H3Q11fbDfRGx6t5xaV2CgtRivMZ+De31du6RQ/qYO5mQmghO8EPEBA0TX MFew6b5g4G2fRNCnkdUa2NaGj2Y7auZ+zSpZvAg35fUyaTBfeLz7GMa352e8Zcc29HLS VIDVitq9tSoX5rMGFIqFy18L5DOy/ZLTFWem8=
MIME-Version: 1.0
Received: by 10.229.134.68 with SMTP id i4mr727407qct.263.1313165141545; Fri, 12 Aug 2011 09:05:41 -0700 (PDT)
Received: by 10.229.132.2 with HTTP; Fri, 12 Aug 2011 09:05:41 -0700 (PDT)
In-Reply-To: <88f4b10fcf44ac276be338f7eebd5634@lodderstedt-online.de>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA698D45.17CCD%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com> <3CA3D010-E3C1-44A7-BC08-5FA3C83F305A@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A115@SN2PRD0302MB137.namprd03.prod.outlook.com> <90DA4C9C-83E1-4D78-BD6E-340084B4E912@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A1F6@SN2PRD0302MB137.namprd03.prod.outlook.com> <1313105180.20903.YahooMailNeo@web31803.mail.mud.yahoo.com> <D76A379A-A43F-4742-9488-D64FF2A931AE@hueniverse.com> <CA+5SmTWd0+s2=GbkPMDq1XQ+HBTcTCoX8mPwHmGhQGAcNahJNQ@mail.gmail.com> <CAC4RtVBSA1H_40nUVRnJD0_cwRQedJE13TTXNuCUx1QQud9wcQ@mail.gmail.com> <88f4b10fcf44ac276be338f7eebd5634@lodderstedt-online.de>
Date: Fri, 12 Aug 2011 17:05:41 +0100
Message-ID: <CA+5SmTWBWYRXjstz+mSiLL4EKXKmWMHvjpn3j-zr75rgGANb1Q@mail.gmail.com>
From: Aiden Bell <aiden449@gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="e89a8f6465c5cb12d904aa5115f4"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 16:05:34 -0000
In some sense, but it is an indirect consequence of the fact the protocol is for granting access without requiring the revealing of user credentials, which in most (but not all) cases means hiding the user's identity on the system. In many cases however, their identity is simply translated/embodied by into tokens exchanged and the service using OAuth will expose identity. Therefore an implicit property is the negotiation of access to resources without revealing a user's identity ... but identity goes well beyond login credentials in most useful systems. Even then, you can use OAuth with login credentials (in native apps etc) (4.3) to authenticate. Because "identity" and "anonymity" may possibly be implemented using OAuth doesn't mean that it is an explicit design feature in OAuth itself. I think it is very dangerous to go down this route, as bringing explicit anonymity into the mix will confuse the purpose and scope of OAuth, when anonymity is a restriction on some system using OAuth. I don't see OAuth as being anymore a system with anonymity properties than say, my web browser. Depends on how you use it; entirely. Aiden Bell On 12 August 2011 16:10, Torsten Lodderstedt <torsten@lodderstedt.net>wrote: > OAuth allows a client to access user resources without revealing the > resource owner's identity to the client. Isn't this anonymity? I consider > this an important property of the protocol. > > regards, > Torsten. > > > > On Thu, 11 Aug 2011 21:00:54 -0400, Barry Leiba wrote: > >> This seems to need a chair to step in. Tony is taking a strong stand >> and maintaining it: >> >> On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin >> <tonynad@microsoft.com> wrote: >> >>> Nowhere in the specification is there explanation for refresh tokens, The >>> reason that the Refresh token was introduced was for anonymity. The >>> scenario >>> is that a client asks the user for access. The user wants to grant the >>> access but not tell the client the user's identity. By issuing the >>> refresh >>> token as an 'identifier' for the user (as well as other context data like >>> the resource) it's possible now to let the client get access without >>> revealing anything about the user. Recommend that the above explanation >>> be >>> included so developers understand why the refresh tokens are there. >>> >> >> So far, though it's been only half a day, I've seen several posts >> disagreeing with Tony, and none supporting any change to the text for >> this. We're close to ending WGLC, so please post here if you agree >> with Tony's suggested change. Otherwise, it looks like consensus is >> against. >> >> Barry, as chair >> ______________________________**_________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> > > ______________________________**_________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> > -- ------------------------------------------------------------------ Never send sensitive or private information via email unless it is encrypted. http://www.gnupg.org
- [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Justin Richer
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Peter Saint-Andre
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens David Recordon
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Barry Leiba
- Re: [OAUTH-WG] Refresh Tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh Tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Igor Faynberg