Re: [OAUTH-WG] Refresh Tokens
Dick Hardt <dick.hardt@gmail.com> Thu, 11 August 2011 20:43 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1BE21F8B7F for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jptK2zRLoffK for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:43:33 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id D47B521F8B7D for <oauth@ietf.org>; Thu, 11 Aug 2011 13:43:32 -0700 (PDT)
Received: by yie12 with SMTP id 12so1869549yie.31 for <oauth@ietf.org>; Thu, 11 Aug 2011 13:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=rgYvhpPZiud1INN8GlJW0E6o8/P27q8ZFtPpfmvzbZU=; b=mormmLDbciOxXzY26wFoJG3dkcfxWW/b2hjiX7Hg4b3QxTIuFX5ZKT3cbSaRqdrW8M xIabpjjEhQi3AKouIuzz+7t0W5N/2FPqnZ/Hgdi6pmEQGV83Fql8JZaSuC34A/xSNF68 iMg0RnNdLTno76yRS/vSthCHrts61cWJVX7uk=
Received: by 10.42.177.6 with SMTP id bg6mr44096icb.471.1313095446853; Thu, 11 Aug 2011 13:44:06 -0700 (PDT)
Received: from [192.168.1.16] (c-24-5-69-173.hsd1.ca.comcast.net [24.5.69.173]) by mx.google.com with ESMTPS id q4sm1742479ibb.32.2011.08.11.13.44.04 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 11 Aug 2011 13:44:05 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-30--219206263"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89EBE@SN2PRD0302MB137.namprd03.prod.outlook.com>
Date: Thu, 11 Aug 2011 13:44:02 -0700
Message-Id: <375D778D-E5D9-4261-9ABE-F69C66AA8D9C@gmail.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89BDE@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA697C47.17C73%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <8ED87B37-CF6B-46F6-8D3F-C4FC3147AB2B@gmail.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89EBE@SN2PRD0302MB137.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1084)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 20:43:34 -0000
Reading over your anonymous story at at the bottom, I don't see what difference a refresh token has over an access token. You could do the same thing with just an access token. Am I missing something? On 2011-08-11, at 1:30 PM, Anthony Nadalin wrote: > Could be! But a definite from Yaron. > > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Thursday, August 11, 2011 1:25 PM > To: Anthony Nadalin > Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Refresh Tokens > > If it was, no one told me. > > On 2011-08-11, at 12:41 PM, Anthony Nadalin wrote: > > > Anonymity was certainly part of the design for WRAP > > From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] > Sent: Thursday, August 11, 2011 12:35 PM > To: Anthony Nadalin; Dick Hardt > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Refresh Tokens > > Section 1.5 already covers refresh tokens. There are many use cases for refresh tokens. They are basically a protocol feature used to make scalability and security more flexible. Anonymity was never part of their design, and by the nature of this protocol, is more in the domain of the resource server (based on what information it exposes via its API). In fact, your email if the first such suggestion of anonymity. > > EHL > > From: Anthony Nadalin <tonynad@microsoft.com> > Date: Thu, 11 Aug 2011 11:15:28 -0700 > To: Dick Hardt <dick.hardt@gmail.com> > Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Refresh Tokens > > Many reasons, but none are explained in the specification > > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Thursday, August 11, 2011 10:51 AM > To: Anthony Nadalin > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Refresh Tokens > > My recollection of refresh tokens was for security and revocation. > > security: By having a short lived access token, a compromised access token would limit the time an attacker would have access > > revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers. There is a window of time when an access token is valid, but authorization is revoked. > > > > On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote: > > > > > Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Justin Richer
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Peter Saint-Andre
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens David Recordon
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Barry Leiba
- Re: [OAUTH-WG] Refresh Tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh Tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Igor Faynberg