Re: [OAUTH-WG] Refresh Tokens

"William J. Mills" <wmills@yahoo-inc.com> Thu, 11 August 2011 18:21 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FD221F8B6D for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 11:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.889
X-Spam-Level:
X-Spam-Status: No, score=-16.889 tagged_above=-999 required=5 tests=[AWL=0.709, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wgKbTK9B7E2 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 11:21:14 -0700 (PDT)
Received: from nm6-vm0.bullet.mail.bf1.yahoo.com (nm6-vm0.bullet.mail.bf1.yahoo.com [98.139.213.146]) by ietfa.amsl.com (Postfix) with SMTP id A1B1121F8A57 for <oauth@ietf.org>; Thu, 11 Aug 2011 11:21:13 -0700 (PDT)
Received: from [98.139.215.140] by nm6.bullet.mail.bf1.yahoo.com with NNFMP; 11 Aug 2011 18:21:48 -0000
Received: from [98.139.212.227] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 11 Aug 2011 18:21:48 -0000
Received: from [127.0.0.1] by omp1036.mail.bf1.yahoo.com with NNFMP; 11 Aug 2011 18:21:48 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 353600.3395.bm@omp1036.mail.bf1.yahoo.com
Received: (qmail 631 invoked by uid 60001); 11 Aug 2011 18:21:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313086907; bh=6aJNn8xd+chjxKtCWhPe8oH6weS7+kuJjPSHEOqbVCU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=F5vWvrcjJR7o6j0znDQdioI5WEtXGiibxPRRmbJ/l52ZWSOFmJaj86b37OyZXlmos8Sdc5LiW9rgJRHdX02pkYn4t2sTjaCQv3l0du4zC3IZEmK7JnlBQ+l3Mu7BbuUr1tj8ScgmgSLA506FjxEIbGrHFh2/E5Nr7imtjwoLgFY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=S70FImOI+fa/giPoQ81Ucs2I8pa799w+2MPDIgjvX9opDS4CNA4KxmLHBst0JlWq9N0eQJJxVvlu8t5QBh+B7eINBQeTzyCfbgdGbNVGl1WQtfjwmSytbVgwMQLOKsSPlielv2ACA2Wx+VtPj0jDm5Ind58OTjj1vZFPCMeq9L8=;
X-YMail-OSG: LW43ZzEVM1mccd68RwI5d1k.27yMBN2XAK950OtfRbK5F.e znbA.dQfo90zSJ4OpgzkarPWUr0zsndXilcL7H7osxAGbfYlNgzkdHUpjHYA h7n.sd3vJmPrk7UEYmt4GN0J7lcSesdMZTU4j0vvQk6E0Fj9QrR8i1vifsys 8V2p0spD25tywM9wOdkm9iBt8Vik1YBtVg5IgkX_tWOrN2JwW1E1YH6xbGKA 3EX.5b0vX_2hYo20BR36JCNPS8dqqqiIjEC9J0ajXC8Fi_E6DbBS41jf0NDi f5amQxeJL4Yl_X8B.N9zf3_dYwQWjPIUon4pWY.UU4lWOoMmPAiBUbycAjMY aVcHlqPQcaIsKsWxTkLduVB.zzOfuUfvawu2E1cAOOCT6Cn8Gx3UDk9jj5nB DuP9eZdzo6yKUCWfdwEU9Q_bO.UFze5verky9g3.2STc-
Received: from [209.131.62.113] by web31803.mail.mud.yahoo.com via HTTP; Thu, 11 Aug 2011 11:21:47 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89B68@SN2PRD0302MB137.namprd03.prod.outlook.com> <D6EA09FB-21A1-40E8-93FF-5BB5E974D06B@gmail.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89BDE@SN2PRD0302MB137.namprd03.prod.outlook.com>
Message-ID: <1313086907.91165.YahooMailNeo@web31803.mail.mud.yahoo.com>
Date: Thu, 11 Aug 2011 11:21:47 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89BDE@SN2PRD0302MB137.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-133394987-1313086907=:91165"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 18:21:15 -0000

Does it want to be in the main definition or the security considerations section?



________________________________
From: Anthony Nadalin <tonynad@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Thursday, August 11, 2011 11:15 AM
Subject: Re: [OAUTH-WG] Refresh Tokens


 
Many reasons, but none are explained in the specification
 
From:Dick Hardt [mailto:dick.hardt@gmail.com] 
Sent: Thursday, August 11, 2011 10:51 AM
To: Anthony Nadalin
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Refresh Tokens
 
My recollection of refresh tokens was for security and revocation.
 
security: By having a short lived access token, a compromised access token would limit the time an attacker would have access
 
revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers.  There is a window of time when an access token is valid, but authorization is revoked. 
 
 
 
On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote:


Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth