Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
Bill Mills <wmills_92105@yahoo.com> Wed, 07 August 2013 15:25 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72DA21F9A30 for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 08:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XZ27veDPN47 for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 08:25:03 -0700 (PDT)
Received: from nm14-vm0.bullet.mail.bf1.yahoo.com (nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164]) by ietfa.amsl.com (Postfix) with ESMTP id 4246311E8142 for <oauth@ietf.org>; Wed, 7 Aug 2013 08:24:40 -0700 (PDT)
Received: from [98.139.215.141] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
Received: from [98.139.212.222] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
Received: from [127.0.0.1] by omp1031.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 605068.25248.bm@omp1031.mail.bf1.yahoo.com
Received: (qmail 87079 invoked by uid 60001); 7 Aug 2013 15:24:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1375889079; bh=nDTX0vROmhr6p47UUckYKyVNn43Dx0zKtVO/e4Xm85c=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gDl33iF/orY/ReCRQfY72UxCADdULQaSAMdcNvwMY4A+zGqCSYoZRL2nMFZUPHwpgiVf7Rd0JPKM3TRh0fqCzF5R8Zxa7dA+aG/3TuSoDDaOCwd+jRfSKSng2HUqcpYi34k8FyiT4Hidlz5yn18bnzK1V8PpPuAF8fhUPAjxCKc=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=NbLSVS1Qc11nNKU0XQ/GuimoAngnQjz87ITF/QZ6QNUrJz+tXJC93koxL7/N/5Efwh8Xh8fR01punDZIQEMc0k41CF1M4Vxozudc4MjHpNZT4F6K5h05zO2zsYr0Mma6WbtcNKJEujOqnmBRbU6exWR6BJUneDPlGumvdUzdlrU=;
X-YMail-OSG: 8gfLKMAVM1n3ZFmCFJF3YB6UynYUfhlh_Ta6O6OUy6WRfKI Yc5xh7vFP_Yb6Zpdhtm3gGHEEkD_3GHMGVkzTvWXpuBsDqXTx90qKACuJksJ 5uB3YsvYU8B9cZVNzsG7Vvqpjiq8tGiIyAccXZ4sB_g0d_FXfP0v.JkNpMjO 59QczBUoDIS0BPZzmfNLAmYoq0uuG53k32kq4hqau8me2N4UwbgNpGxZUkyn U2pKw5QAijw_kFbtIHhMRSBswVQGjEa9n97Vtscb6U6ToFc2wFX24XlPjxs0 cdh9wy7NQnozXHbuB_UOltkHuK.BsrzMb7u72ZcEDtTeRWdYG0NoKXu0wQU0 HpvaHzMlHAUXBQRFl8Ue4jbRdr3RBvOTkPlTBgafWxrmnWbT3Dtpx6oRN5lS iNc_hroShUcZeMVg_QbfIXgAXNhFeUra9kG7rAL5vxAHrTWN_NfmQ29OCYbw 0k63PsEd1WgVb1T77l3ClaIAPMze7_92MWL0xOdwSuZRs9hrdXXhYcfyXP_1 uzIe9O5_UpmhdFjbwGNY0ZnZtf42knW7bY9CiJtKBmngofyRw90rdfRuYG7n W8b.AqVXorzo4LB.mz41.rkTBM6TF60lIIah_2hIXMyzzY4U.
Received: from [209.131.62.115] by web142805.mail.bf1.yahoo.com via HTTP; Wed, 07 Aug 2013 08:24:39 PDT
X-Rocket-MIMEInfo: 002.001, WWFob28gZ2VuZXJhbGx5LCBidXQgbm90IGFsd2F5cyAodGhlcmUgYXJlIHNwZWNpYWwgY2FzZXMpLCBpbnZhbGlkYXRlcyBhbGwgY3JlZGVudGlhbHMgb24gcGFzc3dvcmQgY2hhbmdlLiDCoFRoaXMgYXBwbGllcyB0byByZWZyZXNoIHRva2VucywgYWNjZXNzIHRva2VucywgY29va2llcywgZXRjLiDCoAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiBGcm9tOiBUb2RkIFcgTGFpbmhhcnQgPGxhaW5oYXJ0QHVzLmlibS5jb20.ClRvOiBCYXJyeSBMZWliYSA8YmFycnlsZWliYUBjb21wdXRlci4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.152.567
References: <5200DD6C.3010003@gmail.com> <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com> <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
Message-ID: <1375889079.85708.YahooMailNeo@web142805.mail.bf1.yahoo.com>
Date: Wed, 07 Aug 2013 08:24:39 -0700
From: Bill Mills <wmills_92105@yahoo.com>
To: Todd W Lainhart <lainhart@us.ibm.com>, Barry Leiba <barryleiba@computer.org>
In-Reply-To: <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1583497461-778032492-1375889079=:85708"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 15:25:10 -0000
Yahoo generally, but not always (there are special cases), invalidates all credentials on password change. This applies to refresh tokens, access tokens, cookies, etc. ________________________________ From: Todd W Lainhart <lainhart@us.ibm.com> To: Barry Leiba <barryleiba@computer.org> Cc: "<oauth@ietf.org>" <oauth@ietf.org>; oauth-bounces@ietf.org Sent: Wednesday, August 7, 2013 6:40 AM Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change Assuming of course that the AS was notified by the IdP (or could inquire from same, say, during introspection) that something about the user's account had changed - there's nothing in the protocol that speaks to that. Would anyone be surprised if the authorizations granted to the previous confirmation of identity were now void? That seems like the simplest way to handle it. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com From: Barry Leiba <barryleiba@computer.org> To: Sergey Beryozkin <sberyozkin@gmail.com>, Cc: "<oauth@ietf.org>" <oauth@ietf.org> Date: 08/06/2013 08:50 AM Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change Sent by: oauth-bounces@ietf.org ________________________________ > Suppose a given user has approved a client's grant request and that client > is now working with the access token tied to the user's login name (or some > other representation of that user's login credentials). > > What would be the recommended course of action when that user's credentials > (example, the user's login name) change, as far as the existing access > tokens tied to that user are concerned ? An interesting question. I think it's not the OAuth protocol's concern, but a document describing operations and deployment might suggest what to do. Groping here (I'm not a UI expert): I expect that some changes (and/or some reasons for changes) would make no difference to the authorizations the user has approved. If I change my username from "barryleiba" to "bigkahuna" because I want to be cool, I would want my authorizations to persist. If I change my password because I routinely change my password, I would want my authorizations to persist. If I change my password because I think my old password was compromised, I would want to review my authorizations and make sure nothing untoward is there. Alternatively, I might just want to invalidate all of them and re-establish them as needed afterward. So it would probably be good for the system in question to ask me what to do about the authorizations I've given out, and allow me to review them and address them one by one, and/or make a blanket decision for the lot. Maybe: Your password has been changed. Do you want to revoke authorizations you have approved? [YES / NO] Or maybe: Your password has been changed. Do you want to review authorizations you have approved? [YES / NO] -- Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] What should happen to access tokens wh… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Barry Leiba
- Re: [OAUTH-WG] What should happen to access token… Sergey Beryozkin
- Re: [OAUTH-WG] What should happen to access token… Todd W Lainhart
- Re: [OAUTH-WG] What should happen to access token… Bill Mills
- Re: [OAUTH-WG] What should happen to access token… Phil Hunt