Re: [OAUTH-WG] Another question on RFC 7009
Brian Campbell <bcampbell@pingidentity.com> Fri, 07 February 2014 19:44 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4961A04F5 for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 11:44:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.912
X-Spam-Level:
X-Spam-Status: No, score=-2.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hC4mxejk_cwA for <oauth@ietfa.amsl.com>; Fri, 7 Feb 2014 11:44:30 -0800 (PST)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFDE1A0420 for <oauth@ietf.org>; Fri, 7 Feb 2014 11:44:30 -0800 (PST)
Received: from mail-ig0-f180.google.com ([209.85.213.180]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKUvU3nqIwKw6F5ihVo9MivEONUxMWPDAd@postini.com; Fri, 07 Feb 2014 11:44:30 PST
Received: by mail-ig0-f180.google.com with SMTP id m12so2508475iga.1 for <oauth@ietf.org>; Fri, 07 Feb 2014 11:44:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=zw6nqzaCk/xFS0vgJ1yBsDLlLbcEhsMEsOTaAGw4V5o=; b=CpftfQyErictVyPoZKgdBG5WfTFDUcQ4IpNvRXwHJn3NhS4iUGuw4x0M9AsunyNXZb kawCYT24ZBj6iWRQLBL8yhw59I7xqWkH3ED4eqpBU29f//URPWf0qtYwg4uMHehmfCBh 7knvYDXV32ciZ8/Y+xY0WMdOcHE5+faxNRR4SPuMhxmpmK0ejAM44fDTJMaNbpD+hHrl yGagZH27wRN0kbsuH0YjE8bP6uywCB2G1tnFQIMmZDb4MY5M9Jceyn6osDpkEM+egiDf +05keimpWnY3GJTtQ+t9dGI+s8R/a4O+UiyBULXp9uV8CDuH9M0Cy7gtzjrEw3OuCBn4 4HMA==
X-Gm-Message-State: ALoCoQnqZBAFfoef+z6I+Byohu+1/EmZ9huKz92TBnPXMmakT7K1B5mBGIz8HEQV08txpoJDLmTR3ryCRBR/hRzBZE35Z3oC/e+IWjhSEDZG2M04R6X8k39fUD3ZJwffKFf5u3cFywlLAJFRE4NisbLJatlxaktNFA==
X-Received: by 10.50.194.131 with SMTP id hw3mr1909920igc.4.1391802270173; Fri, 07 Feb 2014 11:44:30 -0800 (PST)
X-Received: by 10.50.194.131 with SMTP id hw3mr1909908igc.4.1391802270037; Fri, 07 Feb 2014 11:44:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.65.4 with HTTP; Fri, 7 Feb 2014 11:43:59 -0800 (PST)
In-Reply-To: <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com>
References: <CA+k3eCSNX43gFYUA8jGgFZ4Ri6nWQ=+R6Ru2j+v04r_2pZdQhA@mail.gmail.com> <OFDA940505.5D93BC11-ON85257C71.005DCB58-85257C71.005DF5C2@us.ibm.com> <CAEayHEPYp7YxYr77nLTqkR4Xh1eg9sjMkGczcHEBnqG6U5VboA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 07 Feb 2014 12:43:59 -0700
Message-ID: <CA+k3eCR-7x1cb_h-mWqWVr66w+gUe7trNjX4JAHGNDcNbfubag@mail.gmail.com>
To: Thomas Broyer <t.broyer@gmail.com>
Content-Type: multipart/alternative; boundary="14dae9340f79e7792204f1d63709"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, OAuth <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Another question on RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 19:44:33 -0000
Thanks, Todd and Thomas, for the responses. After some internal debate, I think we are going to treat it as an invalid token (which it is in that context) and return a 200. On Fri, Jan 31, 2014 at 11:19 AM, Thomas Broyer <t.broyer@gmail.com> wrote: > FWIW, we return unauthorized_client. > Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainhart@us.ibm.com> a écrit : > > > ...what's the intended way that the "request is refused and the client >> is informed of the error" when the the token was not issued to the client >> making the revocation request? >> >> We return an error_code of "invalid_request" and an appropriate error >> message. >> >> >> >> >> >> >> >> * Todd Lainhart Rational software IBM Corporation 550 King Street, >> Littleton, MA 01460-1250* >> >> >> * 1-978-899-4705 <1-978-899-4705> 2-276-4705 (T/L) lainhart@us.ibm.com >> <lainhart@us.ibm.com>* >> >> >> >> >> From: Brian Campbell <bcampbell@pingidentity.com> >> To: oauth <oauth@ietf.org>, >> Date: 01/31/2014 11:58 AM >> Subject: [OAUTH-WG] Another question on RFC 7009 >> Sent by: "OAuth" <oauth-bounces@ietf.org> >> ------------------------------ >> >> >> >> Greetings WG, >> >> In section 2.1 of RFC 7009, it says: >> >> "The authorization server first validates the client credentials (in >> case of a confidential client) and then verifies whether the token >> was issued to the client making the revocation request. If this >> validation fails, the request is refused and the client is informed >> of the error by the authorization server as described below." >> >> The only error described below is "unsupported_token_type" which doesn't >> seem appropriate here. The errors in >> *http://tools.ietf.org/html/rfc6749#section-5.2*<http://tools.ietf.org/html/rfc6749#section-5.2>are referenced too and, while "invalid_client" seems right for failed >> client authentication, what's the intended way that the "request is refused >> and the client is informed of the error" when the the token was not issued >> to the client making the revocation request? None of the defined error >> codes seem to fit. >> >> Furthermore, wouldn't it be better to go ahead and just revoke a token in >> the case it's presented by the wrong client? I seem to recall some >> discussion around this when 7009 was just a baby >> draft-ietf-oauth-revocation and, while I don't recall the outcome, I was >> surprised to look at the RFC again and see the text that is there. >> >> These questions came to me by way of a developer working on implementing >> the RFC. I didn't have good answers, beyond the prognostication herein, so >> I thought I'd take the questions to the WG list and the document authors. >> >> Thanks for any clarification, >> Brian >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >>
- [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 Todd W Lainhart
- Re: [OAUTH-WG] Another question on RFC 7009 Thomas Broyer
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell
- Re: [OAUTH-WG] Another question on RFC 7009 George Fletcher
- Re: [OAUTH-WG] Another question on RFC 7009 Brian Campbell