IETF Logo Mail Archive

Re: [OAUTH-WG] Token Revocation error codes

Justin Richer <jricher@mit.edu> Mon, 21 May 2018 21:29 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072E112D864 for <oauth@ietfa.amsl.com>; Mon, 21 May 2018 14:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XGYJld19PxT for <oauth@ietfa.amsl.com>; Mon, 21 May 2018 14:29:30 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC9F2128896 for <oauth@ietf.org>; Mon, 21 May 2018 14:29:29 -0700 (PDT)
X-AuditID: 1209190c-3efff70000007ed3-7e-5b033a37d217
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 47.6A.32467.73A330B5; Mon, 21 May 2018 17:29:28 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w4LLTNOn004014; Mon, 21 May 2018 17:29:24 -0400
Received: from [192.168.1.12] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4LLTKV9001785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 21 May 2018 17:29:21 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <CD52F9C3-EAED-48A5-BA0D-90B1D3F70811@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EA747E4A-B214-46C0-987B-4BBD67F6BE5A"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Mon, 21 May 2018 17:29:19 -0400
In-Reply-To: <06748dd8-017d-81cc-1b2f-0aa9d61a4731@aol.com>
Cc: Sergey Ponomarev <stokito@gmail.com>, "<oauth@ietf.org>" <oauth@ietf.org>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
References: <CADR0UcWmKLmy=NcvCAH+6C2c55vgux1=z+7xpMHMApYLV-VQrw@mail.gmail.com> <06748dd8-017d-81cc-1b2f-0aa9d61a4731@aol.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRmVeSWpSXmKPExsUixG6nrmthxRxtMHOGvMXX/mqLk29fsVls +d3H7sDscWLZFVaPnbPusnssWfKTKYA5issmJTUnsyy1SN8ugStj/b0FbAXXO5kqjrRsZGxg bH/G2MXIySEhYCKxp/s/WxcjF4eQwGImia4XD1ghnI2MEpfajzFBONeZJKa9m8wK0sImoCox fU0LE4jNK2Al8WHBRzYQm1kgSWLHweNsEHETiR1X2thBbGEgu3HCMiCbg4MFqHfxMROQMKeA tcSeK6uYIVp9JfbM/wE2UkTAXKLlwDmoixoZJfovdDFDnKok8X/XEeYJjPyzkKybhWQdRFxb YtnC18wQtqbE/u7lLJjiGhKd3yayLmBkW8Uom5JbpZubmJlTnJqsW5ycmJeXWqRrqJebWaKX mlK6iREU8JySPDsYz7zxOsQowMGoxMP74AJTtBBrYllxZe4hRkkOJiVR3n+FQCG+pPyUyozE 4oz4otKc1OJDjBIczEoivJ8uAeV4UxIrq1KL8mFS0hwsSuK82YsYo4UE0hNLUrNTUwtSi2Cy MhwcShK8uZbM0UKCRanpqRVpmTklCGkmDk6Q4TxAw/tAaniLCxJzizPTIfKnGO05lj3p72Hm OPR+CpA8BybvHJjawyzEkpeflyolzrvLAqhNAKQtozQPbjIombmvs7N4xSgO9Kgwbz3IcB5g IoSb/QpoLRPQ2o5D/6OA1pYkIqSkGhg5H9s6Jl67fKU0Nkxgtr70RZUTuVq3fv6d0OW75/La uyppGSEHNIuywtPncTLrTN+5z8M1UGwpo5mv0Ymin++avghttShZK6nz1/SXQBP7kR+OOnbu JetKa37PL3CZFjLpjckelZsXJyy7F/2tRf3HnEr788+vrlzhGLRR0n+ryArm9Jtb2qcosRRn JBpqMRcVJwIAg9W2mUEDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gNJFxL5rQ2hAnxvHerDnjibGU44>
Subject: Re: [OAUTH-WG] Token Revocation error codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2018 21:29:32 -0000

I’m with George here: revocation is almost a best-effort request from the client’s perspective. It sends a message to the server saying “hey I’m done with this token, you can throw it out too”. If the server does revoke the token, the client throws it out. If the server doesn’t revoke the token? Then the client still throws it out. Either way the results from the client’s perspective are the same: it’s already decided that it’s done with the token before it talks to the server. It’s an optional cleanup step in most  OAuth systems.

 — Justin

> On May 21, 2018, at 5:08 PM, George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote:
> 
> I'm not understanding how these different cases matter to the client? I doubt that the running code will be able to dynamically handle the error. So it seems this information is only relevant to the developers and not relevant from an end user and the client perspective.
> 
> Also, for the 5 states you define, the effect of calling revocation is still that the token is "revoked" because the token is already not valid.
> 
> So from an implementation perspective, where is the concern that developer will do the "wrong thing" without these more detailed error responses?
> 
> Thanks,
> George
> 
> On 5/19/18 5:41 PM, Sergey Ponomarev wrote:
>> Hi,
>> 
>> I developing an implementation of back channel token revocation endpoint. And I think we should reconsider and probably change the specification to improve error handling.
>> 
>> Here we see several situations of error state:
>> 1. token wasn't sent in request.
>> 2. token is invalid by format i.e. not JWT or JWT with invalid signature
>> 3. token is expired or token is even unknown
>> 4. token was already revoked
>> 5. token type is unsupported 
>> 
>> According to  RFC7009 OAuth 2.0 Token Revocation <https://tools.ietf.org/html/rfc7009>  section 2.2 Revocation Response:
>> 
>> The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
>> Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way.  Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved..
>> 
>> As you may see this section covers only case 3 and case 4 but it's very unclear: calling token as "invalid" is very broad definition.
>> I think we should take a look on each case separately:
>> 
>> 1. token wasn't sent in request. 
>> Most implementations returns 400 status code, error: "invalid_request", error_description": "Missing required parameter: token".
>> Note that returned error is not "invalid_token" but "invalid_request" and I think this should be correct behavior and should be clearly specified.
>> 
>> 2. token is invalid by format i.e. not JWT or JWT with invalid signature
>> This error is mostly related to JWT but for reference (opaque) tokens can be also applied (e.g. token is too long).
>> Goolge OAuth returns 400 code with  "error": "invalid_token" and I think this is correct behavior.
>> The client can have a bug and sends invalid tokens so we should return an error response instead of 200 status.
>> 
>> 3. token is expired or even unknown
>> Spec says that IdP should return 200 in this case but in case of unknown token this may be a symptom of a bug on client side. Even if IdP can clearly determine that token is expired (in case of JWT) this is hard to determine in case of reference token that was removed from DB.
>> So personally I think that from security perspective it's better to response with 400 status because client can have a bug when it's sends some unknown token and think that it was revoked while it wasn't.
>> 
>> For example Google OAuth revocation endpoint implementation do not follow the spec and returns 400 Bad Request with error message "Token is revoked or expired".
>> 
>> 4. token was already revoked
>> The same as above: this can be a bug in a client and we should return 400 status. In case of reference token which was removed from DB we can't distinguish that the token was revoked or even existed so this situation is the same as unknown token.
>> 
>> 5. token type is unsupported 
>> For this case specification introduces a new error code for case 5 in section 2.2.1. Error Response :
>> unsupported_token_type:  The authorization server does not support the revocation of the presented token type.  That is, the client tried to revoke an access token on a server not   supporting this feature. 
>> But it would be better to mention that revocation of ID token (which can be is considered as "public" and not used to auth) definitely should cause this error.
>> 
>> It would be great if we discuss this cases and improve specification.
>> 
>> P.S. Also it may be worse to mention that specification says that content of successful response is empty but status code is 200 instead of 201 "No Content".
>> 
>> Regards,
>> Sergey Ponomarev <http://www.linkedin.com/in/stokito>
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email