IETF Logo Mail Archive

[OAUTH-WG] Assertion flow: please add optional refresh_token in response

Andrew Arnott <andrewarnott@gmail.com> Tue, 15 June 2010 03:31 UTC

Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F21933A67B7 for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 20:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.335
X-Spam-Level:
X-Spam-Status: No, score=-0.335 tagged_above=-999 required=5 tests=[AWL=-0.151, BAYES_40=-0.185, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-YVND15jNnU for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 20:31:39 -0700 (PDT)
Received: from mail-yw0-f179.google.com (mail-yw0-f179.google.com [209.85.211.179]) by core3.amsl.com (Postfix) with ESMTP id 08E3F3A679C for <oauth@ietf.org>; Mon, 14 Jun 2010 20:31:38 -0700 (PDT)
Received: by ywh9 with SMTP id 9so5190438ywh.17 for <oauth@ietf.org>; Mon, 14 Jun 2010 20:31:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=eKOl8MtMF922rgRj1/2fqAikUC/pRpyTpmYHB8K0AKY=; b=g+UwZGHEDdgHayx6MPzq4o/4asxPc9GzL8vXZSKjc2rOJ1JUqmEql7+jD37LDyYObh XWxsmWziZgpDPwX4CIS+Efw0yoAKA1lISPBYSUXCjvb+rG4rEMQa08cJUAeQLxqGbLEj zBQi+qCRbwrfDIqI4q5xnERRPm/zJCDsBzIcg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=qFzkl17iGSqMQfs8/VBS4/jsXJRbcHYM9kr1IHf9wxxIi3wENe/6dhuEc1ETvVFEqu dSkO+VNypLWgg3jSlqGpSTqidvUbwTxDeCtqdEAzdVY0QREgXFOAMrIXVQoZjiI0lOAK e5ZAtUVMZ2D8nRhM5pEmXFYiVmJcoGloULX28=
MIME-Version: 1.0
Received: by 10.150.208.5 with SMTP id f5mr7597859ybg.271.1276572699501; Mon, 14 Jun 2010 20:31:39 -0700 (PDT)
Received: by 10.151.26.19 with HTTP; Mon, 14 Jun 2010 20:31:39 -0700 (PDT)
Date: Mon, 14 Jun 2010 20:31:39 -0700
Message-ID: <AANLkTil1viRqVgwJzmq7N1W21TPeT5RuclBF5DmPvVVM@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000e0cdf1bd448a5c40489093e67"
Subject: [OAUTH-WG] Assertion flow: please add optional refresh_token in response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 03:31:40 -0000

For an application I'm building, the installed client app will have
intermittent windows of time where it can obtain a (non-OAuth) assertion for
user identity.  During this time, it seems appropriate for it to use the
assertion flow to obtain an OAuth authorization so that it can impersonate
the user.  So far this is just standard Assertion Flow stuff.  But without a
refresh_token, the app will break when the access token expires if the app
doesn't have the ability at the moment (due to not being on the corporate
network at the moment for example) to obtain a new assertion.  Since the
security model for this app would certainly allow for a refresh_token to be
issued from the original OAuth authorization server exchange, this would
solve it, if the spec didn't specifically ban such a parameter.

Also, the user identity is asserted to the authorization server *not*through an
*assertion* parameter but using Kerberos (I assume) as part of the HTTP
protocol, so perhaps the spec for the assertion flow can specifically allow
for assertions to be carried as part of the transport?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

v2.46.0 | Report a Bug | By Email | System Status