[OAUTH-WG] access tokens & refresh tokens of different scopes
Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Wed, 31 October 2012 17:01 UTC
Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ECA521F877B for <oauth@ietfa.amsl.com>; Wed, 31 Oct 2012 10:01:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.466
X-Spam-Level:
X-Spam-Status: No, score=-3.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZFSlIxCo9Yc for <oauth@ietfa.amsl.com>; Wed, 31 Oct 2012 10:01:45 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe003.messaging.microsoft.com [65.55.88.13]) by ietfa.amsl.com (Postfix) with ESMTP id DD0D721F861A for <oauth@ietf.org>; Wed, 31 Oct 2012 10:01:23 -0700 (PDT)
Received: from mail114-tx2-R.bigfish.com (10.9.14.246) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Wed, 31 Oct 2012 17:01:22 +0000
Received: from mail114-tx2 (localhost [127.0.0.1]) by mail114-tx2-R.bigfish.com (Postfix) with ESMTP id D59B18051D for <oauth@ietf.org>; Wed, 31 Oct 2012 17:01:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.17; KIP:(null); UIP:(null); IPV:NLI; H:il06msg01.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: 0
X-BigFish: VPS0(zzc85fhzz1202h1d1ah1d2ahzz17326ah8275bh8275dhz2fh2a8h683h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh1155h)
Received-SPF: pass (mail114-tx2: domain of motorolasolutions.com designates 129.188.136.17 as permitted sender) client-ip=129.188.136.17; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg01.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT003.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail114-tx2 (localhost.localdomain [127.0.0.1]) by mail114-tx2 (MessageSwitch) id 1351702880112049_15351; Wed, 31 Oct 2012 17:01:20 +0000 (UTC)
Received: from TX2EHSMHS038.bigfish.com (unknown [10.9.14.241]) by mail114-tx2.bigfish.com (Postfix) with ESMTP id 169B93800C5 for <oauth@ietf.org>; Wed, 31 Oct 2012 17:01:20 +0000 (UTC)
Received: from il06msg01.mot-solutions.com (129.188.136.17) by TX2EHSMHS038.bigfish.com (10.9.99.138) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 31 Oct 2012 17:01:18 +0000
Received: from il06msg01.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q9VHrwYE007303 for <oauth@ietf.org>; Wed, 31 Oct 2012 12:53:58 -0500 (CDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe001.messaging.microsoft.com [213.199.154.139]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q9VHqOTK007088 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Wed, 31 Oct 2012 12:53:58 -0500 (CDT)
Received: from mail15-db3-R.bigfish.com (10.3.81.249) by DB3EHSOBE008.bigfish.com (10.3.84.28) with Microsoft SMTP Server id 14.1.225.23; Wed, 31 Oct 2012 17:00:54 +0000
Received: from mail15-db3 (localhost [127.0.0.1]) by mail15-db3-R.bigfish.com (Postfix) with ESMTP id 826274803FD for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 31 Oct 2012 17:00:54 +0000 (UTC)
Received: from mail15-db3 (localhost.localdomain [127.0.0.1]) by mail15-db3 (MessageSwitch) id 135170285262973_979; Wed, 31 Oct 2012 17:00:52 +0000 (UTC)
Received: from DB3EHSMHS001.bigfish.com (unknown [10.3.81.247]) by mail15-db3.bigfish.com (Postfix) with ESMTP id 032A22E0053 for <oauth@ietf.org>; Wed, 31 Oct 2012 17:00:52 +0000 (UTC)
Received: from BY2PRD0411HT003.namprd04.prod.outlook.com (157.56.237.133) by DB3EHSMHS001.bigfish.com (10.3.87.101) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 31 Oct 2012 17:00:51 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.11.21]) by BY2PRD0411HT003.namprd04.prod.outlook.com ([10.255.128.38]) with mapi id 14.16.0233.002; Wed, 31 Oct 2012 17:00:50 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: access tokens & refresh tokens of different scopes
Thread-Index: Ac23iUqZfwSnaVIuTgOMlO1uFR1N8w==
Date: Wed, 31 Oct 2012 17:00:50 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A92F166F7F@BY2PRD0411MB441.namprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-puzzleid: {054A8959-3D78-41F4-8578-1A60C3597970}
x-cr-hashedpuzzle: At/g CD4Q CHKh CS/+ CylH C4fo DOk4 Dwuz DzrE EGod EZxn E6NP FbgC H1T9 KR9p LT5v; 1; bwBhAHUAdABoAEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {054A8959-3D78-41F4-8578-1A60C3597970}; YQBkAGEAbQAuAGwAZQB3AGkAcwBAAG0AbwB0AG8AcgBvAGwAYQBzAG8AbAB1AHQAaQBvAG4AcwAuAGMAbwBtAA==; Wed, 31 Oct 2012 17:00:55 GMT; YQBjAGMAZQBzAHMAIAB0AG8AawBlAG4AcwAgACYAIAByAGUAZgByAGUAcwBoACAAdABvAGsAZQBuAHMAIABvAGYAIABkAGkAZgBmAGUAcgBlAG4AdAAgAHMAYwBvAHAAZQBzAA==
x-originating-ip: [184.78.105.93]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A92F166F7FBY2PRD0411MB441_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Subject: [OAUTH-WG] access tokens & refresh tokens of different scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 17:01:47 -0000
I have a use case where I would like to request both an access token and a refresh token, but I would like the access token to have a scope less than that of the refresh token. It is standard OAuth behavior for using the refresh token to request additional access tokens (of equal or lesser scope) but the first access token that comes back always has the "master scope" of the refresh token. For various security concerns, I always want my access tokens to be of a stricter scope that the refresh token. For example, consider the scenario of a structured (JWT) access token that does not require the RS to call back to the AS introspection endpoint. Following typical OAuth guidance, it is best practice to use short lived access tokens with long lived refresh tokens. But I'd rather a compromised access token not compromise access to ALL my resource servers. Using the existing standard I could simply destroy the first access token when it is received and then request another of lesser scope using the refresh token, but now I've just wasted a round trip over the air, consuming bandwidth and adding latency to the end user experience. Is there anybody in the working group that feels this would be valuable? adam
- [OAUTH-WG] access tokens & refresh tokens of diff… Lewis Adam-CAL022
- Re: [OAUTH-WG] access tokens & refresh tokens of … Lewis Adam-CAL022
- Re: [OAUTH-WG] access tokens & refresh tokens of … Dick Hardt
- Re: [OAUTH-WG] access tokens & refresh tokens of … Lewis Adam-CAL022
- Re: [OAUTH-WG] access tokens & refresh tokens of … Pat Patterson
- Re: [OAUTH-WG] access tokens & refresh tokens of … Dick Hardt
- Re: [OAUTH-WG] access tokens & refresh tokens of … Lewis Adam-CAL022
- Re: [OAUTH-WG] access tokens & refresh tokens of … Manger, James H
- Re: [OAUTH-WG] access tokens & refresh tokens of … Torsten Lodderstedt
- Re: [OAUTH-WG] access tokens & refresh tokens of … Lewis Adam-CAL022
- Re: [OAUTH-WG] access tokens & refresh tokens of … Anganes, Amanda L