IETF Logo Mail Archive

Re: [OAUTH-WG] I-D on token revocation submitted

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 15 September 2010 05:38 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F33403A688C for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 22:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.415
X-Spam-Level:
X-Spam-Status: No, score=-1.415 tagged_above=-999 required=5 tests=[AWL=-0.562, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fm15icapAeCu for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 22:38:15 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.41]) by core3.amsl.com (Postfix) with ESMTP id 4D5423A6767 for <oauth@ietf.org>; Tue, 14 Sep 2010 22:38:11 -0700 (PDT)
Received: from [79.253.38.9] (helo=[192.168.71.41]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OvkhX-0002Eg-Hq; Wed, 15 Sep 2010 07:38:36 +0200
References: <4C86BAF4.3060906@lodderstedt.net> <4C891EEA.80502@gmx.de> <AANLkTinUBD77ZtaHOD5CSGv+XAUuzSS0+NeyM5KLyJ8K@mail.gmail.com> <4C8BB3E7.7090606@gmx.de> <4C8CA7C4.5050809@lodderstedt.net> <AANLkTim5N1hZb92P9SEr-NWqHMWakeSE_hxYG--pHseQ@mail.gmail.com>
In-Reply-To: <AANLkTim5N1hZb92P9SEr-NWqHMWakeSE_hxYG--pHseQ@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <0C2BE27F-A70B-4F57-8780-C0DC35A2FF4A@lodderstedt.net>
X-Mailer: iPhone Mail (8B117)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Wed, 15 Sep 2010 07:37:49 +0200
To: Brian Campbell <bcampbell@pingidentity.com>
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D on token revocation submitted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2010 05:38:18 -0000

Your understanding is correct. I just wanted to note the additional data required at the authz server in order to implement the indirect case.

Regards,
Torsten.



Am 15.09.2010 um 00:32 schrieb Brian Campbell <bcampbell@pingidentity.com>:

> So is my understanding of the kraft incorrect?  I read it to say that
> direct access token revocation is optional but, if supported, then all
> associated assess tokens must also be revoked on a revocation of a
> refresh token.
> 
> On Sun, Sep 12, 2010 at 4:13 AM, Torsten Lodderstedt
> <torsten@lodderstedt.net> wrote:
>>  Stefanie,
>> 
>> thanks for your comments.
>> 
>> I think there is a subtle difference between revoking access tokens directly
>> and indirectly via refresh tokens. In the later case, the authorization
>> server needs to keep track of the relation between refresh and access tokens
>> (somewhere in a database), whereas the relation between access and refresh
>> token could be kept in the access token only.
>> 
>> regards,
>> Torsten.
>> 
>> Am 11.09.2010 18:52, schrieb Stefanie Dronia:
>>> 
>>>  Hi Brain,
>>> 
>>> yes, you are right. I just went over that condition.
>>> 
>>> On the other hand, this implies to me, that access token revocation is not
>>> possible in a constellation as described before.
>>> 
>>> Regards,
>>> Stefanie
>>> 
>>> Am 10.09.2010 00:38, schrieb Brian Campbell:
>>>> 
>>>> Isn't that kind of situation exactly the reason that access token
>>>> revocation was made optional?   Invalidation of access tokens on
>>>> revocation of a refresh token is only a MUST, if the deployment
>>>> already supports revocation of access tokens.  And if revocation of
>>>> access tokens is supported, I'd assume the deployment already has an
>>>> efficient means of invalidating them.
>>>> 
>>>> Editorial note: shouldn't the "must" in that text be a "MUST"?
>>>> 
>>>> On Thu, Sep 9, 2010 at 11:52 AM, Stefanie Dronia<sDronia@gmx.de>  wrote:
>>>>> 
>>>>>  Hallo Torsten,
>>>>> 
>>>>> first of all thanks for providing this draft on the mailing list.
>>>>> Except for the following words, the draft is consistent. It defines the
>>>>> end of a token's life cycle, intended by the user.
>>>>> 
>>>>> While reading it, I think that the following part of chapter 2 (Token
>>>>> Revocation) might cause problems a a certain situation:
>>>>> 
>>>>> "If the processed token is a refresh token and the authorization
>>>>>   server supports the revocation of access tokens, then the
>>>>>   authorization server must also invalidate all access tokens issued
>>>>>   for that refresh token."
>>>>> 
>>>>> Situation:
>>>>> Authz Server(s) and Resource Server(s) are separate systems that are set
>>>>> in an open triangle (no communication between them e.g. to verify access
>>>>> tokens).
>>>>> 
>>>>> Problem:
>>>>> How does the Resource Server(s) know that an access token was revoked
>>>>> and is not valid to access resources any more?
>>>>> =>  Communication  between the servers necessary
>>>>> =>  benefit of open triangle architecture are lost for this case.
>>>>> I think that this is a problem with large scale systems.
>>>>> 
>>>>> Although, if there are several Authz Server(s) , then there has to be
>>>>> communication between there or a shared data base to assure that revoked
>>>>> (refresh) tokens are invalid.
>>>>> 
>>>>> =>  Is this requirement really a MUST?
>>>>> I don't think so.
>>>>> 
>>>>> Any thoughts?
>>>>> 
>>>>> Regards,
>>>>> Stefanie
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 08.09.2010 00:21, schrieb Torsten Lodderstedt:
>>>>>> 
>>>>>>  I just submited the first version of my I-D for token revocation.
>>>>>> 
>>>>>> Link:
>>>>>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/
>>>>>> 
>>>>>> The I-D proposes an additional endpoint, which can be used to revoke
>>>>>> both refresh and access tokens. The objective is to enhance OAuth security
>>>>>> by giving clients and users explicite control of the finalization of the
>>>>>> token life cycle, e.g. to implement application logout or access
>>>>>> authorization removal.
>>>>>> 
>>>>>> Please take the time to review the document (2 pages, essentially) and
>>>>>> give me feedback. My goal is that this draft becomes a working group
>>>>>> document.
>>>>>> 
>>>>>> regards,
>>>>>> Torsten.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>>

v2.23.0 | Report a Bug | By Email