IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt

Peter Mauritius <peter.mauritius@fun.de> Tue, 08 January 2013 22:07 UTC

Return-Path: <peter.mauritius@fun.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939F521F85B3 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 14:07:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXZcykrE6kln for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 14:07:15 -0800 (PST)
Received: from mailfwd.fun.de (fungate2.fun.de [IPv6:2a01:198:3c6:1:81:26:162:57]) by ietfa.amsl.com (Postfix) with ESMTP id 9E95721F8550 for <oauth@ietf.org>; Tue, 8 Jan 2013 14:07:13 -0800 (PST)
Received: from hsi-kbw-109-193-166-054.hsi7.kabel-badenwuerttemberg.de ([109.193.166.54] helo=funmiraus.local) by mailfwd.fun.de with esmtpsa (Exim 4.69 #1 (Debian)) id 1TshKA-0004DM-VE; Tue, 08 Jan 2013 23:07:11 +0100
Message-ID: <50EC988E.7070007@fun.de>
Date: Tue, 08 Jan 2013 23:07:10 +0100
From: Peter Mauritius <peter.mauritius@fun.de>
Organization: fun communications GmbH, Karlsruhe, Germany
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20130102 Thunderbird/19.0a2
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>, OAuth WG <oauth@ietf.org>
References: <20130107120057.29202.70722.idtracker@ietfa.amsl.com> <50EABAB0.4060807@lodderstedt.net> <50EAF409.80704@aol.com> <50EAF568.8000201@lodderstedt.net> <50EAF6F2.90407@aol.com>
In-Reply-To: <50EAF6F2.90407@aol.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050001030004030804030000"
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2013 22:07:16 -0000

Hi George,

RFC6750 defines "invalid-token" for access tokens which is not the case 
for "invalid-token" in the revocation specification. Here it is 
applicable for refresh tokens as well. Therefore we should not simply 
reference the "invalid-token" of RFC6750.

As far as I understand both, the reviewed specification and RFC6750, 
reference RFC6749. RFC6750 includes in section 6.1 
<http://tools.ietf.org/html/rfc6750#section-6.2>  OAuth Extensions Error 
Registration sections according to RFC6749 section 11.4. 
<http://tools.ietf.org/html/rfc6749#section-11.4> for the error codes 
defined throughout the document including "invalid-token".

I am not very experienced in the formal process but shouldn't we add 
such sections for the two error codes defined in the revocation 
document? Especially for "invalid-token" we should define an error 
registration section that defines the error code for our error usage 
location and protocol extension to distinguish it from RFC6750 and to 
avoid confusion. Doing this I hope there is no necessity to add a 
reference to RFC6750 or to define a new error code.

What do the more experienced reviewers think?

Regards
   Peter

Am 07.01.13 17:25, schrieb George Fletcher:
> My concern with leaving both specs separated is that over time the 
> semantics of the two error codes could diverge and that would be 
> confusing for developers. If we don't want to create a dependency on 
> RFC 6750, then I would recommend a change to the error code name so 
> that there is no name collision or confusion.
>
> Thanks,
> George
>
> On 1/7/13 11:18 AM, Torsten Lodderstedt wrote:
>> Hi George,
>>
>> thank you for pointing this out. Your proposal sounds reasonable 
>> although the revocation spec does not build on top of RFC 6750.
>>
>> As refering to RFC 6750 would create a new dependency, one could also 
>> argue it would be more robust to leave both specs separated.
>>
>> What do others think?
>>
>> regards,
>> Torsten.
>> Am 07.01.2013 17:12, schrieb George Fletcher:
>>> One quick comment...
>>>
>>> Section 2.0: Both RFC 6750 and this specification define the 
>>> 'invalid_token' error code.
>>>
>>> Should this spec reference the error code from RFC 6750?
>>>
>>> Thanks,
>>> George
>>>
>>>
>>> On 1/7/13 7:08 AM, Torsten Lodderstedt wrote:
>>>> Hi,
>>>>
>>>> the new revision is based on the WGLC feedback and incorporates the 
>>>> following changes:
>>>>
>>>> - renamed "access grant" to "authorization" and reworded parts of 
>>>> Abstract and Intro in order to better align with core spec wording 
>>>> (feedback by Amanda)
>>>> - improved formatting of section 2.1. (feedback by Amanda)
>>>> - improved wording of last paragraph of section 6 (feedback by Amanda)
>>>> - relaxed the expected behavior regarding revocation of related 
>>>> tokens and the authorization itself in order to remove unintended 
>>>> constraints on implementations (feedback by Mark)
>>>> - replaced description of error handling by pointer to respective 
>>>> section of core spec (as proposed by Peter)
>>>> - adopted proposed text for implementation note (as proposed by 
>>>> Hannes)
>>>>
>>>> regards,
>>>> Torsten.
>>>>
>>>> Am 07.01.2013 13:00, schrieb internet-drafts@ietf.org:
>>>>> A New Internet-Draft is available from the on-line Internet-Drafts 
>>>>> directories.
>>>>>   This draft is a work item of the Web Authorization Protocol 
>>>>> Working Group of the IETF.
>>>>>
>>>>>     Title           : Token Revocation
>>>>>     Author(s)       : Torsten Lodderstedt
>>>>>                            Stefanie Dronia
>>>>>                            Marius Scurtescu
>>>>>     Filename        : draft-ietf-oauth-revocation-04.txt
>>>>>     Pages           : 8
>>>>>     Date            : 2013-01-07
>>>>>
>>>>> Abstract:
>>>>>     This document proposes an additional endpoint for OAuth 
>>>>> authorization
>>>>>     servers, which allows clients to notify the authorization 
>>>>> server that
>>>>>     a previously obtained refresh or access token is no longer 
>>>>> needed.
>>>>>     This allows the authorization server to cleanup security 
>>>>> credentials.
>>>>>     A revocation request will invalidate the actual token and, if
>>>>>     applicable, other tokens based on the same authorization.
>>>>>
>>>>>
>>>>>
>>>>> The IETF datatracker status page for this draft is:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation
>>>>>
>>>>> There's also a htmlized version available at:
>>>>> http://tools.ietf.org/html/draft-ietf-oauth-revocation-04
>>>>>
>>>>> A diff from the previous version is available at:
>>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-revocation-04
>>>>>
>>>>>
>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>
>>
>


-- 
Peter Mauritius   Chief Technical Director
Senior Consultant
Tel: +49 721 96448-0   Fax: +49 721 96448-299   peter.mauritius@fun.de

fun communications GmbH   Lorenzstr. 29   D-76135 Karlsruhe
Geschaeftsfuehrer Johannes Feulner
Amtsgericht Mannheim HRB 106906

http://www.fun.de
http://blogs.fun.de
http://www.twitter.com/fun_de
http://www.facebook.com/funcommunications

v2.30.2 | Report a Bug | By Email | System Status