IETF Logo Mail Archive

Re: [OAUTH-WG] in-app logout?

Justin Richer <jricher@mitre.org> Tue, 15 June 2010 16:12 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D68F3A69B2 for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 09:12:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.476
X-Spam-Level:
X-Spam-Status: No, score=-4.476 tagged_above=-999 required=5 tests=[AWL=-0.291, BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S00td7dRBjhZ for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 09:12:47 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 59A493A6979 for <oauth@ietf.org>; Tue, 15 Jun 2010 09:12:47 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o5FGCpH2001088 for <oauth@ietf.org>; Tue, 15 Jun 2010 12:12:51 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o5FGCo2d001079; Tue, 15 Jun 2010 12:12:50 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.2.254.0; Tue, 15 Jun 2010 12:12:50 -0400
From: Justin Richer <jricher@mitre.org>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112640B7698@WSMSG3153V.srv.dir.telstra.com>
References: <4BEBDCFB.7090503@lodderstedt.net> <255B9BB34FB7D647A506DC292726F6E11263465727@WSMSG3153V.srv.dir.telstra.com> <AANLkTikxD3jraqvG2IFmaSme0f1Q7NGPuQ3llqX3Ds5W@mail.gmail.com> <AANLkTil8c6oLx-YpyQ57seoFpuZQ013hLpVWfdb8JWlM@mail.gmail.com> <AANLkTilx7NPXa_XGSHmXw4vtLIlCQFf3DfcagP84TTtJ@mail.gmail.com> <AANLkTilOpF2iTB0LKGjQCGp8hMyL38SwtjrwgWsUi5zf@mail.gmail.com> <4BFD67CA.5040600@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3EBB66F0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4C16753A.9050802@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3EBB680C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E112640B7698@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 15 Jun 2010 12:12:50 -0400
Message-ID: <1276618370.10716.47.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] in-app logout?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 16:12:49 -0000

This is exactly my contention with using DELETE: it's specified[1] as
deleting the resource identified by the URI, and it's not meant as way
to determine intended action in a higher-level API. Like PUT, it's there
for using HTTP as a uri-addressable document store. I'm also not
convinced it's going to be as well-supported across client libraries as
GET and POST will be, but I can't confirm that in practice as I don't
remember ever using the DELETE method by hand. I'm also not in favor of
requiring all tokens be URL-addressable. I'd much rather see us use a
separate delete/revoke method. Perhaps in parallel with how the rescope
is written in -08 (which structure I'm mostly happy with, btw) we can
have an optional argument that says "please trash this token". Also, it
seems we should be able to revoke both refresh and access tokens by
presenting them to the token endpoint. 

I can see this kind of API call as something that some providers are
going to offer anyway, so it should be part of OAuth so that everyone
does it the same way. This may be another candidate for "just throw it
in an extension", but we seem to be collecting quite a few of those
lately. :)

 -- Justin

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

On Tue, 2010-06-15 at 00:24 -0400, Manger, James H wrote:
> > Since refresh token is only issued to clients capable of directly interacting with the authorization server, is there a reason why the endpoint cannot use DELETE instead of a POST with a parameter?
> >
> >  DELETE /token HTTP/1.1
> >  Host: server.example.com
> >  Content-Type: application/x-www-form-urlencoded
> >  
> >  grant_type=refresh_token&client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM&refresh_token=n4E9O119d
> >
> > This looks like an elegant way of doing things. I'm not sure about using the token endpoint for this, but that's a separate issue.
> 
> 
> The DELETE method deletes the resource identified by the URI. I don't think it is usual to have any body with a DELETE. Any intermediaries seeing the DELETE will mark as stale any cached responses indexed by the URI -- they will not look in the body.
> 
> In short, a more web-style approach is to give each token its own URI and DELETE that.
> 
>   DELETE /token?refresh_token=n4E90119d HTTP/1.1
>   Authorization: BASIC czZCaGRSa3F0Mzo4ZVNFSXBucW1N
> 
> --
> James Manger
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.46.0 | Report a Bug | By Email | System Status