Re: [OAUTH-WG] Multiple access tokens
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 10 March 2012 11:52 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D744121F861C for <oauth@ietfa.amsl.com>; Sat, 10 Mar 2012 03:52:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6prHTSrSJa5 for <oauth@ietfa.amsl.com>; Sat, 10 Mar 2012 03:52:37 -0800 (PST)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.99]) by ietfa.amsl.com (Postfix) with ESMTP id 9994B21F85A8 for <oauth@ietf.org>; Sat, 10 Mar 2012 03:52:35 -0800 (PST)
Received: from [91.2.79.237] (helo=[192.168.71.36]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1S6Kqf-0002vp-4W; Sat, 10 Mar 2012 12:52:33 +0100
Message-ID: <4F5B407D.3060902@lodderstedt.net>
Date: Sat, 10 Mar 2012 12:52:29 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Ross Boucher <rboucher@gmail.com>
References: <FF6EB619-5D3E-4B94-A322-D64BD596E015@gmail.com> <1331190726.92627.YahooMailNeo@web31805.mail.mud.yahoo.com> <4CDF0B28-5927-4584-8CAB-98ECCCD42843@gmail.com>
In-Reply-To: <4CDF0B28-5927-4584-8CAB-98ECCCD42843@gmail.com>
Content-Type: multipart/alternative; boundary="------------030006010201060307080601"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Multiple access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2012 11:52:38 -0000
Am 09.03.2012 00:15, schrieb Ross Boucher: > If the refresh token is revoked, the client application would seem to have no way to gain access to the third party resource again except through another explicit user generated authentication. Is that correct? On some level this may be desirable, since a compromised auth code also implies that whatever out of band authentication method is being used by the client has also been compromised. But then that would be true for all refresh tokens ever issued, rather than just ones stemming from the "poisoned" auth code. Why? my assumption would be that the attacker gained access to that particular authorization code (e.g. by wire tapping). This does not mean other refresh tokens for the same or other users have been comprimized as well. regards, Torsten. > > (Also, worth noting that I wasn't talking about user revocation, which definitely should revoke the refresh token). > > On Mar 7, 2012, at 11:12 PM, William Mills wrote: > >> You might want to put issuance time and other info in an access token. The spec is silent on your first question. >> >> On revocation: One of the reasons for short lived access tokens is to only revoke the refresh token, which has to be presented at a central server type rather than trying to extend revocation to all protected resources. So if you're in that model you would not bother revoking the access token. >> >> The use case I can see for invalidating access tokens and still honoring refresh tokens is the case where you might have had the access token symmetric secret compromised but not the refresh token secret. That's not really user revocation though. I don't se an actual user revocation of access that would not potentially kill both tokens and always kill the refresh token. >> >> >> >> >> >> >> ----- Original Message ----- >> From: Ross Boucher<rboucher@gmail.com> >> To: OAuth WG<oauth@ietf.org> >> Cc: >> Sent: Wednesday, March 7, 2012 6:14 PM >> Subject: [OAUTH-WG] Multiple access tokens >> >> The spec doesn't seem to have any recommendations on this point, but should an OAuth v2 API always return the same access token if the same client makes multiple requests? Is there any benefit to not generating a new access token for each request? Similarly, if you do generate new access tokens (as I am doing now), should you also generate new refresh tokens? >> >> An unrelated question about revoking access tokens when the same authorization code is used more than once: should refresh tokens also be revoked? And, if so, should any tokens issued with that refresh token then also be revoked? It seems simpler (if slightly less correct) to just revoke all access tokens for that specific client/resource pair in that case, rather than tracking the ancestry of all tokens. >> >> Thanks, >> Ross >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Multiple access tokens Ross Boucher
- Re: [OAUTH-WG] Multiple access tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Multiple access tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Multiple access tokens William Mills
- Re: [OAUTH-WG] Multiple access tokens Ross Boucher