Re: [OAUTH-WG] Refresh Tokens

"William J. Mills" <wmills@yahoo-inc.com> Thu, 11 August 2011 20:58 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1BD21F8BAD for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.99
X-Spam-Level:
X-Spam-Status: No, score=-16.99 tagged_above=-999 required=5 tests=[AWL=0.608, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPKhJUza2NzN for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:58:03 -0700 (PDT)
Received: from nm6-vm2.bullet.mail.ne1.yahoo.com (nm6-vm2.bullet.mail.ne1.yahoo.com [98.138.90.154]) by ietfa.amsl.com (Postfix) with SMTP id B8F9D21F8B8B for <oauth@ietf.org>; Thu, 11 Aug 2011 13:58:02 -0700 (PDT)
Received: from [98.138.90.53] by nm6.bullet.mail.ne1.yahoo.com with NNFMP; 11 Aug 2011 20:58:34 -0000
Received: from [98.138.88.239] by tm6.bullet.mail.ne1.yahoo.com with NNFMP; 11 Aug 2011 20:58:34 -0000
Received: from [127.0.0.1] by omp1039.mail.ne1.yahoo.com with NNFMP; 11 Aug 2011 20:58:34 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 688052.7041.bm@omp1039.mail.ne1.yahoo.com
Received: (qmail 36285 invoked by uid 60001); 11 Aug 2011 20:58:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313096314; bh=z34P7YUlRVvvGi7iKqkBVp7C+NDif7CcEtjH09nJiSw=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=OhgsFWvYCLxNwDbxxUHqN+WiXMvbSM92i7pOBkqP6Ho75t6YYNp4doFuiMmlBpPRUTqjfTn3MGX/9PIWwE88KO2PGsoblIa0HXg6JADABilEHEFbHyY9oywZfgt5j6N1dWA46I5bDCgCbquFUjOfDE0ghOKBzn1FlmYCjZU2J8E=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=R4ucAiZI+N+/1dxGr5uRAMT4vVYMyjKYKwMr95giUMp5bQgLKWxY3E3Ml9i94vQk43cKNUBmK9ul4hjwtQwhvsyYYkS+ENg32OhS6HV8iwX6yqfyOIo3n4b5Z25xH1WkuXVCp8kV2sHtJsDEvvVE5NZl4iea7C3gu1aGqTRExAU=;
X-YMail-OSG: 2EPvILYVM1mWYdvoicuiXwKKM5WvrfJJt_8hAJj9ALvfEST ucwU0c7lfbuEj6jv_7hoyjiiEugU.BGJ6CeeAx_SwdUbwlUXSKiegVLNouZN 6s9zAa37H_DzFSbVYKe_aO8.Gpx9q6U_JOLS2Gfp4zxiBw4g93FRT1yTPib0 ukqp_IviRhrkI3VSGq4bSHEhd7vcp8y19ktRfz7sVJUMSHSUwgav7waz_jbr vrFDTW03PlXEODSzxmbaKQaqEpdn.Q9ZPt9H2ZxTgG7.t8nDwt96zSPVndZe HdN8aA2q7j_0mF1Lcu4jeanw49ukgJh80Ocb5BTibUU.EPFId22UGgwEcZxf R7vlZl4cfVDZLk16bTZt4CdJBcT2tIeelUMgQDPjuK0BOMrOz9R1lRz7dYxO 7ClKsHqlZjvDi365Vy19U3sJBOE2EwNFBZW0nGFJ5SGAR
Received: from [209.131.62.115] by web31811.mail.mud.yahoo.com via HTTP; Thu, 11 Aug 2011 13:58:34 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89BDE@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA697C47.17C73%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com>
Message-ID: <1313096314.33672.YahooMailNeo@web31811.mail.mud.yahoo.com>
Date: Thu, 11 Aug 2011 13:58:34 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Eran Hammer-Lahav <eran@hueniverse.com>, Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1739596267-1313096314=:33672"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 20:58:04 -0000

All I'm saying is that anonymity is not unique to refresh tokens, it's true for refresh and access tokens.



________________________________
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>; Dick Hardt <dick.hardt@gmail.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Thursday, August 11, 2011 12:41 PM
Subject: Re: [OAUTH-WG] Refresh Tokens


 
Anonymity was certainly part of the design for WRAP
 
From:Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
Sent: Thursday, August 11, 2011 12:35 PM
To: Anthony Nadalin; Dick Hardt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Refresh Tokens
 
Section 1.5 already covers refresh tokens. There are many use cases for refresh tokens. They are basically a protocol feature used to make scalability and security more flexible. Anonymity was never part of their design, and by the nature of this protocol, is more in the domain of the resource server (based on what information it exposes via its API). In fact, your email if the first such suggestion of anonymity.
 
EHL
 
From: Anthony Nadalin <tonynad@microsoft.com>
Date: Thu, 11 Aug 2011 11:15:28 -0700
To: Dick Hardt <dick.hardt@gmail.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
 
Many reasons, but none are explained in the specification
> 
>From:Dick Hardt [mailto:dick.hardt@gmail.com] 
>Sent: Thursday, August 11, 2011 10:51 AM
>To: Anthony Nadalin
>Cc: OAuth WG (oauth@ietf.org)
>Subject: Re: [OAUTH-WG] Refresh Tokens
> 
>My recollection of refresh tokens was for security and revocation.
> 
>security: By having a short lived access token, a compromised access token would limit the time an attacker would have access
> 
>revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers.  There is a window of time when an access token is valid, but authorization is revoked. 
> 
> 
> 
>On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote:
>
>
>
>
>Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there.
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
> 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth