Re: [OAUTH-WG] RFC 7009
Justin Richer <jricher@mit.edu> Tue, 06 June 2017 21:45 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 269EC128B93 for <oauth@ietfa.amsl.com>; Tue, 6 Jun 2017 14:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnPsUsP31cth for <oauth@ietfa.amsl.com>; Tue, 6 Jun 2017 14:45:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000BE12741D for <oauth@ietf.org>; Tue, 6 Jun 2017 14:45:47 -0700 (PDT)
X-AuditID: 12074425-493ff70000007be9-1d-5937228a88c6
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id AD.B4.31721.A8227395; Tue, 6 Jun 2017 17:45:46 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v56LjksR006081; Tue, 6 Jun 2017 17:45:46 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v56LjhQp005479 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 6 Jun 2017 17:45:45 -0400
To: Brig Lamoreaux <Brig.Lamoreaux@microsoft.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
References: <CY4PR03MB2920241827103D122E9EC82085FF0@CY4PR03MB2920.namprd03.prod.outlook.com> <FAF2C6DD-0A7A-4BE1-BDD3-E54B822CCD4D@mit.edu> <DM5PR03MB292263A0429C2BEE01E95BB085CB0@DM5PR03MB2922.namprd03.prod.outlook.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <cc72fa5b-cd75-e6d6-7b80-af5e009c5cb2@mit.edu>
Date: Tue, 06 Jun 2017 17:45:39 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <DM5PR03MB292263A0429C2BEE01E95BB085CB0@DM5PR03MB2922.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------D1ED24264F5B953546B3A265"
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFKsWRmVeSWpSXmKPExsUixG6notulZB5psH6blcWZZ7+ZLU6+fcXm wOSxZMlPJo/WHX/ZA5iiuGxSUnMyy1KL9O0SuDLOnJArOFRV8eroEcYGxnWhXYycHBICJhJr vnezdjFycQgJLGaS2P0WxtnAKHFucR8bSJWQwC0mieOPJEBsYQEFicNLjjKD2CIChhKtM9qA Gjg4mAXUJdpPukD0PmCUeDVzNjtIDZuAqsT0NS1MIDavgJVEz8kPjCA2i4CKxK6+FrD5ogIx Eo82nIWqEZQ4OfMJC4jNKRArcfX0BFYQm1kgTGLT/25mCFtc4taT+UwTGAVmIWmZhaRsFpIy CNtMYt7mh1BxeYnmrbOBbJCz1SSWtSohCy9gZF/FKJuSW6Wbm5iZU5yarFucnJiXl1qka6GX m1mil5pSuokRHAUuqjsY5/z1OsQowMGoxMMrsMssUog1say4MvcQoyQHk5Iob+QloBBfUn5K ZUZicUZ8UWlOavEhRgkOZiUR3p7PQDnelMTKqtSifJiUNAeLkjivuEZjhJBAemJJanZqakFq EUxWhoNDSYI3RNE8UkiwKDU9tSItM6cEIc3EwQkynAdoeLUMUA1vcUFibnFmOkT+FKOilDiv AkizAEgiozQPrheUpBLeHjZ9xSgO9IowbyxIFQ8wwcF1vwIazAQ0mO+SCcjgkkSElFQDI0Om z6yAxW3z7/SnZ2dxtl1cNGOS2YHIE3bRCoZZEZdEp8Qn9uj97hRVYFV75K8T/GPzh5Ye9XbB pU+ef9dpZYj1LOa54m+//0ldiZTLjB+XPDZ2zLJ5apMhqDR/8owzXkLHXvW/dhTia+6L+Pb5 wUa3KUUz8m76a7BWHVj58EXH6eePLnfvUmIpzkg01GIuKk4EAOalLkEtAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m2luV-2H3uHU9DnYC_7jpvJDXu8>
Subject: Re: [OAUTH-WG] RFC 7009
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2017 21:45:50 -0000
7009 doesn't, really. If the client thinks its token is compromised, it can revoke it using 7009. If the server decides the token is compromised, it invalidates it on its own, not involving 7009. The client finds out the token isn't good anymore the next time it tries to use the token -- OAuth clients always need to be prepared for their token not working at some point. Good news is that the remedy for having a token that doesn't work is to just do OAuth again. -- Justin On 6/6/2017 5:43 PM, Brig Lamoreaux wrote: > > Thanks for the reply. How do the RFC address a token that has been > compromised? > > *From:*Justin Richer [mailto:jricher@mit.edu] > *Sent:* Tuesday, June 6, 2017 9:12 AM > *To:* Brig Lamoreaux <Brig.Lamoreaux@microsoft.com> > *Cc:* <oauth@ietf.org> <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] RFC 7009 > > OAuth doesn’t specify and specific timeout period, it’s up to the AS > that issues the token to determine how long the token is good for. > RFC7009 isn’t about timeout periods, it’s about the client proactively > telling the AS that it doesn’t need a token anymore and the AS should > throw it out, likely prior to any timeouts. > > — Justin > > On May 25, 2017, at 12:23 PM, Brig Lamoreaux > <Brig.Lamoreaux@microsoft.com > <mailto:Brig.Lamoreaux@microsoft.com>> wrote: > > Hi, > > > What is the specified timeout period to invalidate the token? > > Brig Lamoreaux > > Data Solution Architect > > brig.lamoreaux@microsoft.com <mailto:brig.lamoreaux@microsoft.com> > > 480-828-8707 > > US Desert/Mountain Tempe > > > > <image001.jpg> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CBrig.Lamoreaux%40microsoft.com%7C538020425e8a411a106408d4acf6ca32%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636323623328232170&sdata=UHQOwegm2k8MbWPCYHR3a4ted39xMFlfjil4FdJqyA8%3D&reserved=0> >
- [OAUTH-WG] RFC 7009 Brig Lamoreaux
- Re: [OAUTH-WG] RFC 7009 Justin Richer
- Re: [OAUTH-WG] RFC 7009 Justin Richer
- Re: [OAUTH-WG] RFC 7009 Justin Richer
- Re: [OAUTH-WG] RFC 7009 Phil Hunt (IDM)
- Re: [OAUTH-WG] RFC 7009 Brig Lamoreaux
- Re: [OAUTH-WG] RFC 7009 Brig Lamoreaux
- Re: [OAUTH-WG] RFC 7009 Justin Richer