Re: [OAUTH-WG] Refresh Tokens

"William J. Mills" <wmills@yahoo-inc.com> Thu, 11 August 2011 18:13 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B3B21F888A for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 11:13:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.781
X-Spam-Level:
X-Spam-Status: No, score=-15.781 tagged_above=-999 required=5 tests=[AWL=-0.597, BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYW2COUtQfP8 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 11:13:18 -0700 (PDT)
Received: from nm24-vm0.bullet.mail.sp2.yahoo.com (nm24-vm0.bullet.mail.sp2.yahoo.com [98.139.91.226]) by ietfa.amsl.com (Postfix) with SMTP id 7890321F8841 for <oauth@ietf.org>; Thu, 11 Aug 2011 11:13:18 -0700 (PDT)
Received: from [98.139.91.66] by nm24.bullet.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 18:13:53 -0000
Received: from [98.139.91.32] by tm6.bullet.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 18:13:53 -0000
Received: from [127.0.0.1] by omp1032.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 18:13:53 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 273981.49052.bm@omp1032.mail.sp2.yahoo.com
Received: (qmail 75621 invoked by uid 60001); 11 Aug 2011 18:13:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313086432; bh=NQ1tRhBSlsl8scjCR9CkW61JdM1xCGZ+7B1QP1uJvl8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Sm2bqGB6cmAWxRHLvufhYGRx86yO4MaTPx+qsMxxJcnytXT8jpKm8btankQMfvc73U3t/F3CF0nwvV3g1YP+gAdY37rIN8l60GPifzcHPDLKmkXW+lX3GbOENnFPb4VLPdZF/tXQv1Vod3OL17THacQqa3wwdr0TnULfny4HIN4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=UG1+Yk5c4J1/70QHjt3KSnIkhMUsB7d8eLqWRkUHmqOSIJHnoumlxO12xPTX0zTgMmxOv7gpAFiRX39xF/rtUsevtVwQ1jdM5X9yHUvQrABUorAeFPP+EpEbeTOVcUlBOoSGhqkkli5Zh6Xhx+NuA8e3gmGWpnC2VYnTD8yR5eE=;
X-YMail-OSG: GfTpWKwVM1kzRQJKXNgXMm56VT9zZT3YfL9fBaKBNzicPRF o_WN7xANZA8buks69Qg7WOE4PQuUTiZZBwLo9zsR.bRKFtNsIVVaLvgiZ0MX A4EWiFZl9_lgme6JFK5Zch3PhmOM8BJrF9VibXyRMEc0j7.2zAvyXZ5I_4qf EF3JbVV7B6YUS5pwUExHNVwDF2dVEd3VA5IDBWwPB_ldZmXaCl6buprHE3UL kLrASMCmz0SkQp1ePX4jMpi61m_OCkyJkhHyu.baoVJX_aGDTVJjV2WhClVh TOUNT2inO2BZ.rfs4ReJtD8G4lNSIgY4IHL8Ir_fLjor5_QHT8LVvPGIGOZN cvQKonciyWQJG8BryeUulM2sIEBpzaHdVm.BFMDMcDJUvT6rhjLrUOaRiEUe FtC0ZjnqDjcRRFTxn8hOwB1xGznoX.9okUeXnLkDA2Yo-
Received: from [209.131.62.113] by web31802.mail.mud.yahoo.com via HTTP; Thu, 11 Aug 2011 11:13:52 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89B68@SN2PRD0302MB137.namprd03.prod.outlook.com>
Message-ID: <1313086432.51763.YahooMailNeo@web31802.mail.mud.yahoo.com>
Date: Thu, 11 Aug 2011 11:13:52 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Anthony Nadalin <tonynad@microsoft.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89B68@SN2PRD0302MB137.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1820279937-1313086432=:51763"
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 18:13:19 -0000

Refresh tokens have a different main goal, in my opinion.  They are useful to allow a log lived durable replacement for username/password.  This means the user's primary credential is not stored in the client.  Refresh tokens can be revoked by the user without requiring password change.  They are also always used over a secure channel, and can fetch a (sometimes much) shorter lived token used over a clear channel.  Yahoo! Messenger and others use a model like this now.  Refresh tokens can also be issued to a particular client requiring authentication, so are not useful if the client authentication credential is not also compromised.

They do have the property of anonymity as well, but that's true of both teh refresh token and access token, so it's not specific to refresh tokens.

-bill



________________________________
From: Anthony Nadalin <tonynad@microsoft.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Thursday, August 11, 2011 10:40 AM
Subject: [OAUTH-WG] Refresh Tokens


 
Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth