Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
Sergey Beryozkin <sberyozkin@gmail.com> Tue, 06 August 2013 14:37 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D112621F9B4D for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 07:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.419
X-Spam-Level:
X-Spam-Status: No, score=-2.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EISeMX80frCc for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 07:37:10 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 0236521F9C13 for <oauth@ietf.org>; Tue, 6 Aug 2013 07:37:09 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id q54so452051wes.33 for <oauth@ietf.org>; Tue, 06 Aug 2013 07:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=IL6VCSAtJf/DnB8s+ptARPfSAMjX3R0R1HWkpnfxJVQ=; b=bsK7/xmO5bacTVmGbLlGXkltNqwOHFYDGMuEH2f1Gk6SpiRpW94n0jJKLwwEAAa+DW Ank/N0r+CjuOfxApeFxZO16OGdqNlmt7PwAWFQnm04pI0XX2KjxWYqG4Ll7PQr60CKWl 5BfCKKtm9U/ON+VTJIBKF53CztB0n6AbdEfVhjymzj/VP6K0edn0PrIgQqoaVQkAxD7m SeT55FanJXyE5T6tYFnYwd3THW9fSUFGK7m2cgBhZpk8nHkdmMDTexQRXgv/s40ruOOd nHl4uArE5lfmylObBqZ6FgYylCyc/36dKvfVO0IOgkEaIZ6iCl2VyH/8MlfE0g1N2RtM 5tpQ==
X-Received: by 10.180.185.97 with SMTP id fb1mr1192676wic.61.1375799829124; Tue, 06 Aug 2013 07:37:09 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id v9sm5956975wiw.8.2013.08.06.07.37.07 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 07:37:08 -0700 (PDT)
Message-ID: <52010A12.6020203@gmail.com>
Date: Tue, 06 Aug 2013 15:37:06 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <5200DD6C.3010003@gmail.com> <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
In-Reply-To: <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 14:37:11 -0000
Hi thanks for your thoughts, comments below, On 06/08/13 13:47, Barry Leiba wrote: >> Suppose a given user has approved a client's grant request and that client >> is now working with the access token tied to the user's login name (or some >> other representation of that user's login credentials). >> >> What would be the recommended course of action when that user's credentials >> (example, the user's login name) change, as far as the existing access >> tokens tied to that user are concerned ? > > An interesting question. > > I think it's not the OAuth protocol's concern, but a document > describing operations and deployment might suggest what to do. > Groping here (I'm not a UI expert): > > I expect that some changes (and/or some reasons for changes) would > make no difference to the authorizations the user has approved. If I > change my username from "barryleiba" to "bigkahuna" because I want to > be cool, I would want my authorizations to persist. If I change my > password because I routinely change my password, I would want my > authorizations to persist. If I change my password because I think my > old password was compromised, I would want to review my authorizations > and make sure nothing untoward is there. Alternatively, I might just > want to invalidate all of them and re-establish them as needed > afterward. > > So it would probably be good for the system in question to ask me what > to do about the authorizations I've given out, and allow me to review > them and address them one by one, and/or make a blanket decision for > the lot. > > Maybe: > > Your password has been changed. > > Do you want to revoke authorizations you have approved? [YES / NO] > > Or maybe: > > Your password has been changed. > > Do you want to review authorizations you have approved? [YES / NO] Letting the user to decide what has to happen to authorizations in such cases seems like a nice idea. It would probably be good if Security Considerations doc had some dedicated section, but either way I think I have my question answered :-) Thanks, Sergey > > -- > Barry >
- [OAUTH-WG] What should happen to access tokens wh… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Barry Leiba
- Re: [OAUTH-WG] What should happen to access token… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Todd W Lainhart
- Re: [OAUTH-WG] What should happen to access token… Bill Mills
- Re: [OAUTH-WG] What should happen to access token… Phil Hunt