Re: [OAUTH-WG] Device Code expiration and syntax
Justin Richer <jricher@mit.edu> Sat, 11 March 2017 20:41 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13CC01295B9 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dPf0WiyUCl2 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:41:03 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4241129442 for <oauth@ietf.org>; Sat, 11 Mar 2017 12:41:02 -0800 (PST)
X-AuditID: 1209190f-033ff7000000330c-f7-58c460dcdca3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 43.73.13068.CD064C85; Sat, 11 Mar 2017 15:41:01 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v2BKexWY016809; Sat, 11 Mar 2017 15:40:59 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2BKev8l004104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 11 Mar 2017 15:40:58 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FA6DF883-5641-4FE5-890F-6924FBB5AE3F"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sat, 11 Mar 2017 15:40:57 -0500
In-Reply-To: <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT0b2bcCTC4NtHdouTb1+xWWya08zu wOSxYFOpx5IlP5kCmKK4bFJSczLLUov07RK4MhpXL2ApeG1W8fRxF2MD4xK9LkZODgkBE4mZ /7cydjFycQgJtDFJXP+2lAXC2cgoMaH5DhOE85BJom/iGSaQFjYBVYnpa1rAbF4BK4m3+xaz dTFycDALJEn8PJMLEdaXmH3mEguILSxgKbHmxjQwmwWode/7HWwgNqdAoMTRRXeZIVrVJdpP uoCERQQ0JV6ePQB1QyOjxMFLx1ghLpWVePtrCfMERv5ZCNtmIdkGYjMLaEssW/iaGcLWlNjf vRyLuIZE57eJrAsY2VYxyqbkVunmJmbmFKcm6xYnJ+blpRbpmujlZpbopaaUbmIEBTWnJP8O xjkN3ocYBTgYlXh4G1yORAixJpYVV+YeYpTkYFIS5f395VCEEF9SfkplRmJxRnxRaU5q8SFG CQ5mJRHeU45A5bwpiZVVqUX5MClpDhYlcV5xjcYIIYH0xJLU7NTUgtQimKwMB4eSBO/3eKBG waLU9NSKtMycEoQ0EwcnyHAeoOEKCSDDiwsSc4sz0yHypxgVpcR5GUCaBUASGaV5cL2gpJPw 9rDpK0ZxoFeEeaVB2nmACQuu+xXQYCagwdP4DoIMLklESEk1MFoKL3aVPJ0wfWGKis+876ZV K7PY8xda2Um+mdBvdKJxbyenXFeih9+5srM5FotWfLnpmeK/ULOFy7svm/f0Oxexa2u3nMr0 Krmi9FNxy2Smx3U3jcOe99pERIqon9j9tCtyw/qtGVxN7gs+Hj6qe2W24E2Td48z1T6Htm8N rLE8wHN3utf6XiWW4oxEQy3mouJEAKKp22sVAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/i6doPepIe1vf5IzYT0CHobznKF8>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 20:41:04 -0000
> On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com> wrote: > > On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote: > We’re implementing support for the device code draft and had a question on what the “expiration” of the code refers to. Obviously, once the code has expired it can no longer be used. But when should the expiration count from? Say I have a code that’s good for 60 seconds, do I start the timer as soon as I issue the code to the client? Do I reset the timer when the user approves the client, to another 60 seconds? Or does that 60 seconds count for the entire transaction? > > My read on it is the latter-- one timeout for the entire lifetime of the code regardless of its current state, with no resets. But I didn’t find good guidance in the document itself. > > It's the expiry of the user_code and device_code pair, at which point the device will need to start-over with a new device authorization request. The device wouldn't *have* to start a timer, as they will get an error during polling: > > expired_token > The "device_code" has expired. The client will need to make a new > Device Authorization Request. > > We should add some guidelines around expiry behavior. OK, so it really is one expiration for the whole thing. The device doesn’t need to care (and I’ll bet you right now that, just like with access tokens, the overwhelmingly vast majority of devices won’t care about expires_in), but the authorization server certainly does, and we wanted to know the right place to set the timers. > > Secondly, I had a question about the “response_type” parameter to the device endpoint. This parameter is required and it has a single, required value, with no registry or other possibility of extension. What’s the point? If it’s for “parallelism”, I’ll note that this is *not* the authorization endpoint (as the user is not present) and such constraints need not apply here. > > Good points here. At a guess, it bled in from the OAuth spec. If it's not needed, we should remove it. > I’d vote for removal, I don’t see the point. — Justin
- [OAUTH-WG] Device Code expiration and syntax Justin Richer
- Re: [OAUTH-WG] Device Code expiration and syntax William Denniss
- Re: [OAUTH-WG] Device Code expiration and syntax Justin Richer
- Re: [OAUTH-WG] Device Code expiration and syntax William Denniss
- Re: [OAUTH-WG] Device Code expiration and syntax Mike Jones
- Re: [OAUTH-WG] Device Code expiration and syntax William Denniss
- Re: [OAUTH-WG] Device Code expiration and syntax Mike Jones
- Re: [OAUTH-WG] Device Code expiration and syntax William Denniss
- Re: [OAUTH-WG] Device Code expiration and syntax Brian Campbell
- Re: [OAUTH-WG] Device Code expiration and syntax John Bradley
- Re: [OAUTH-WG] Device Code expiration and syntax William Denniss
- Re: [OAUTH-WG] Device Code expiration and syntax Justin Richer