IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

William Mills <wmills_92105@yahoo.com> Sat, 26 January 2013 19:06 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC52E21F88B0 for <oauth@ietfa.amsl.com>; Sat, 26 Jan 2013 11:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.739
X-Spam-Level:
X-Spam-Status: No, score=-0.739 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4t0DT2enbm30 for <oauth@ietfa.amsl.com>; Sat, 26 Jan 2013 11:06:18 -0800 (PST)
Received: from nm28-vm3.bullet.mail.ne1.yahoo.com (nm28-vm3.bullet.mail.ne1.yahoo.com [98.138.91.158]) by ietfa.amsl.com (Postfix) with ESMTP id 26B7721F8895 for <oauth@ietf.org>; Sat, 26 Jan 2013 11:06:16 -0800 (PST)
Received: from [98.138.90.53] by nm28.bullet.mail.ne1.yahoo.com with NNFMP; 26 Jan 2013 19:06:10 -0000
Received: from [98.138.89.172] by tm6.bullet.mail.ne1.yahoo.com with NNFMP; 26 Jan 2013 19:06:10 -0000
Received: from [127.0.0.1] by omp1028.mail.ne1.yahoo.com with NNFMP; 26 Jan 2013 19:06:10 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 587154.68423.bm@omp1028.mail.ne1.yahoo.com
Received: (qmail 89995 invoked by uid 60001); 26 Jan 2013 19:06:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1359227170; bh=apuDWyrqiO/yJilFZQ0jCoQAXMAMsDmndsJbP0JqfOw=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=TzydatAHnA3JeHShGEonuiYTwrsaGS9hpuOBq+YpuRpFwnz7dQAG8ZD7YAPmlDjWLxykV4ApaJUXixIpUKfN+ugebRRFI8ocxzaQdY7s/80Q6rdngkH3/zK1CEF+HlSZToRiRmEK43Su2GCTHsX6oKiHeoSKS+P2sJ4nbVbYh/Q=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=u2XNsfO5DhFVIBfQE6TCQ5jHoT6v7E+g9cRU5qUXztawmnzO694y2/tNzPYwrh2xjbWTkX1vW4VJoETD1rTxtJhn3wvvwB7F7mJYwZN2k4lE2SB/yZZ+Y761LJLKzwQ3qzXK1FEUTJAUT8oIi0MN+x3PINuH2frHbHZxhJ/h2QU= ;
X-YMail-OSG: jZsynR4VM1kVodxYchaPlLs1wxiSdkTb5w7W3dxtQLUHVjX kpIdeSy8Bm3ufD.24lVK_6rvVnxFeN.Goy8YaKaQGI0j624sFwdnoMg61Yqq VEuuamZfd2oNDm3ETTbbcvwChMjJMFhOLoZtQRqLqLdGgFV8vj7aEvj.CVfx W2fMPSTx0zC2ZAkiXuwHg0ymlYjO1UUqBBbeEzSKR7akaMbinBEZBNCQvTTg eDeaxPz8dygKjgBkKU5ovYyAuMLTQhckVXgnr4u3uru0ptM4.HCGOSvtlPxF .9YwAp8FUy998_pOIfSo2I1RLhYn4ceOg.ejEluICmh9B0MlUwt2IKwWFXHy y7n.Kgyxz2Oj8SD0zBSP905ZI0EGZW28xoA5H23S_5venVlggxmYhqyHtDq0 esaCcquAADIkFyo7g5NF3akamwwUJCN60v65JdeZQZJ.GHxK67A62YC.KyzK E90LLirFuR1rApJeak9CshsV5CJ1tOFFykwvRH2miq9ILNRgO9q4cP62eICI wN7PJsF1z_CwQltJW6Knt5J7z9_FP4y2gd.vN5VS3cBuzrF9mLBIbbkp.q8K uoQ--
Received: from [209.131.62.115] by web31805.mail.mud.yahoo.com via HTTP; Sat, 26 Jan 2013 11:06:09 PST
X-Rocket-MIMEInfo: 001.001, VGhlIGRyYWZ0IHNob3VsZCBwcm9iYWJseSByZWdpc3RlciBhIGxpbmsgcmVsYXRpb24gdHlwZS4gwqBJJ2QgcmVnaXN0ZXIgaXQgd2l0aCB0aGUgb3RoZXJzLCBidXQgdGhhdCBkcmFmdCBpcyBhbHJlYWR5IGluIHRoZSBpbmRpdmlkdWFsIHN1Ym1pc3Npb24gcGlwZWxpbmUuCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KIEZyb206IFRvcnN0ZW4gTG9kZGVyc3RlZHQgPHRvcnN0ZW5AbG9kZGVyc3RlZHQubmV0PgpUbzogQW50aG9ueSBOYWRhbGluIDx0b255bmFkQG1pY3Jvc29mdC5jb20.IAoBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.131.499
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com> <51042160.5020908@lodderstedt.net>
Message-ID: <1359227169.88220.YahooMailNeo@web31805.mail.mud.yahoo.com>
Date: Sat, 26 Jan 2013 11:06:09 -0800
From: William Mills <wmills_92105@yahoo.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Anthony Nadalin <tonynad@microsoft.com>
In-Reply-To: <51042160.5020908@lodderstedt.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-551393103-1944681668-1359227169=:88220"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jan 2013 19:06:24 -0000

The draft should probably register a link relation type.  I'd register it with the others, but that draft is already in the individual submission pipeline.


________________________________
 From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Anthony Nadalin <tonynad@microsoft.com> 
Cc: "oauth@ietf.org" <oauth@ietf.org> 
Sent: Saturday, January 26, 2013 10:33 AM
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
 

Hi Tony,

thanks for your review comments.

*** @Justin: thanks for jumping in. ***

I would like to recap the results of the discussion so far and
    propose some changes.


Am 24.01.2013 00:54, schrieb Anthony Nadalin:

 
>Review:
> 
>1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?
Having read your arguments I realize the current text is a bit
    specific about the means to obtain the endpoint location (as it does
    not mention other means). 

current text:


The location of the token revocation endpoint can be found in the authorization server's documentation.  The token endpoint URI MAY include a query component.
proposal:

The means to obtain the location of the revocation endpoint is out of scope of this specification. There is a range of options. The client could, for example, 
automatically discover this information (along with other server 
andpoints and properties). Alternatively, the client developer could 
also get to know the endpoint location from the server's documentation. 
Note: As this endpoint is handling security sensible credentials, such information must be obtained from a trustworthy resource.

2.       Any token type that is supported can be revoked, including refresh token ?
The draft currently explicitly states support for access and refresh
    tokens. Do you want the draft to be weaker at this point and to
    allow for the revocation of any token?


3.       Why does one have to send the token, can’t this just be an auth_code ?
The draft is intended to support token revocation. I agree with
    Justin. Authz codes are short duration and one time use. I don't see
    a need to revoke them. I also don't see the need to use them to
    revoke the respective access token indirectly. 


4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS
I'm fine with MAY since I tend to see CORS as an optional feature.
    What do others think?


5.       Does not say but is the revocation to be immediate upon the return of the request ?
The client must assume the revocation is immediate upon the return
    of the request. I could explicitly express this in the text

current text


In the next step, the authorization server invalidates the token. The client MUST NOT use this token again after revocation.
Proposal

  In the next step, the authorization server invalidates the token. The 
client must assume the revocation is immediate upon the return of the 
request. The client MUST NOT use the token again after the revocation.

6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?
As described by Justin, there are two use cases:

- if the token passed to the request is a refresh token and the
    server supports access token revocation, the server SHOULD also
    revoke them.
- if the token passed to the request is an access token, the server
    may decide to revoke the respective refresh token as well.

I think every client must be prepared to cope with "sudden"
    invalidation of any token type. So having different server policies
    with respect to related tokens shouldn't create interop problems.

What changes would you expect?


7.       Section 2 says “the client MUST NOT use this token again”, well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.
The client should discard the token immediately after revocation.

regards.
Torsten.


>
>
>_______________________________________________
OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email