[OAUTH-WG] How can client react to access token not-before errors

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 01 February 2016 11:36 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D4D21B2CDA for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 03:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_eRIZw3UN6X for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 03:36:30 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1871ACE5C for <oauth@ietf.org>; Mon, 1 Feb 2016 03:36:30 -0800 (PST)
Received: by mail-wm0-x22a.google.com with SMTP id 128so66431173wmz.1 for <oauth@ietf.org>; Mon, 01 Feb 2016 03:36:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=keDTJLtYydoTbzatXyr5FZqVy2PL7yp3cj4tQah8nzU=; b=nCx8Q9eb5x4Ri8uRzpMHiWrIdIi3HNGSxzxwwCRYfZopiEr9KDDU1tX5TLujTqobGD HICAJusnQshj8sxJCBPg8+XgipVatmGhV14GyfLHzB/LT2gr6fHUXv47R2po065JO+ta 4IeM4HPqw9ymVP3ygG3mal3QJD2vaQLFzLtMq0pQG/cWYMqEv//0/wpIU6TLhOGDsh6W 6A7/dOyfr/3fPjCuZ5uZtCrgi4RctJ0k9QrrDmQuaZxex58WITdBjpYRsCktmPOuEZLB 2FwT9+JKYlB1XZEgt2KpaTbjHONsaoB20PVTB4Cp+4cjrRmX3oE/afozUhFFzjaMBweG 2PKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=keDTJLtYydoTbzatXyr5FZqVy2PL7yp3cj4tQah8nzU=; b=eMGEor5vNvDWro+ebhoI6GD7DT8Hxy6WatlVPsNCqvXE7VnlewWKkPdlhVgp8RqeNQ TRuHs2h3D4FJkj5dBbrLfJuAOMIR0AcEwQ3GOiD0tYD9kS97k14kVLZTxyQC6HM0ICmf 0FTSzsiCE+FWVB6VEhvrKNVzIsKpHD9s9nla759/XtUIQeU6bWoLrNuTPOj9BDvoadJN VNRHxpThZehRTR66rPIC9a2bwiswl3J+Ud/JS7kpUIje73e1zy8cfM8SlZpH5ma1AVOq EEVpFV53X1KBkwJ330F2FXigsdX4Isfz1Q1zdt1sNtFJ+2deVRoCHVyw/sm4KPQNrTIi ul0w==
X-Gm-Message-State: AG10YORYWYnXTYfzHXZ7Y04ISiuR1C04EV8eZGiaJvUx7XiuDlIw6bQLFQYk+bzagD06kw==
X-Received: by 10.28.21.19 with SMTP id 19mr10642955wmv.43.1454326588683; Mon, 01 Feb 2016 03:36:28 -0800 (PST)
Received: from [10.36.226.98] ([80.169.137.63]) by smtp.googlemail.com with ESMTPSA id lc1sm28577094wjc.5.2016.02.01.03.36.27 for <oauth@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 01 Feb 2016 03:36:27 -0800 (PST)
To: "oauth@ietf.org" <oauth@ietf.org>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56AF433B.1040706@gmail.com>
Date: Mon, 01 Feb 2016 11:36:27 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iR_dIqU1M5XjGWIx5zLZ4JRCRK0>
Subject: [OAUTH-WG] How can client react to access token not-before errors
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 11:36:32 -0000

Hi

Access tokens (particularly JWT-based) may have a not before property 
set - for example, a token introspection response may report an 'nbf' 
property.

How can a client react to the error related to using the access token 
too early ?

Typically a client would attempt to refresh a token if it has been 
rejected by RS, but in the case of NBF related errors it can become a 
cycle - refresh - get a new token - try it, too early, repeat...

I think for RS reporting 503 with Retry-After, instead of 400/401, would 
be the right way to handle NBF errors.

Thanks, Sergey