[OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-introspection-09: (with DISCUSS and COMMENT)

"Alissa Cooper" <alissa@cooperw.in> Mon, 08 June 2015 16:40 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 857E11B3078; Mon, 8 Jun 2015 09:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tPdKgoF5mrkG; Mon, 8 Jun 2015 09:40:44 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 485181A924A; Mon, 8 Jun 2015 09:40:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alissa Cooper <alissa@cooperw.in>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150608164044.24189.13985.idtracker@ietfa.amsl.com>
Date: Mon, 08 Jun 2015 09:40:44 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/m31gghY5z16sKPvTlCfRNz8kBSk>
X-Mailman-Approved-At: Wed, 10 Jun 2015 06:21:52 -0700
Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-introspection-09: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 16:40:45 -0000

Alissa Cooper has entered the following ballot position for
draft-ietf-oauth-introspection-09: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


= Section 2.1 =
"The endpoint MAY allow other parameters to provide further context to
   the query.  For instance, an authorization service may need to know
   the IP address of the client accessing the protected resource in
   order to determine the appropriateness of the token being presented."

How does the protected resource know whether it needs to include such
additional parameters or not? What is meant by the "appropriateness" of
the token? 

In general if we're talking about a piece of data that could be sensitive
like client IP address, it would be better for there to be specific
guidelines to direct protected resources as to when this information
needs to be sent. I note that Section 5 basically says such
considerations are out of scope, but if this specific example is to be
provided here then they seem in scope to me.

= Section 5 =
"One way to limit disclosure is to require
   authorization to call the introspection endpoint and to limit calls
   to only registered and trusted protected resource servers."

I thought Section 2.1 made authorization to call the introspection
endpoint mandatory. This makes it sound like it's optional. Which is it?


= Section 1.1 =
There is no reference to RFC2119 here, which may be okay but most
documents include it if they use normative language (I think).

= Section 2 =
   definition of an active token is up to the authorization server, but
   this is commonly a token that has been issued by this authorization
   server, is not expired, has not been revoked, and is within the
   purview of the protected resource making the introspection call."

Is "within the purview" a term of art for OAuth 2.0? Is there a more
specific way to describe what is meant here? Also, I note that in the
description of the "active" member in Section 2.2, this criterion is not
listed. It seems like these should be aligned.

= Section 2.2 =
"Note that in order to avoid disclosing too much of the
   authorization server's state to a third party, the authorization
   server SHOULD NOT include any additional information about an
   inactive token, including why the token is inactive."

Seems like this should be a MUST NOT unless there's some reason for
providing anything other than active set to false. Same comment applies
in Section 4.

= Section 2.3 =
It seems like there is another error condition and I'm wondering if its
handling needs to be specified. Per my question in Section 2.1, if it's
possible that the request is properly formed but is missing some
additional information that the authorization server needs to evaluate
it, should there be an error condition specified for that case?