Re: [OAUTH-WG] I-D on token revocation submitted
Brian Campbell <bcampbell@pingidentity.com> Thu, 09 September 2010 22:39 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C72EC3A6914 for <oauth@core3.amsl.com>; Thu, 9 Sep 2010 15:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.812
X-Spam-Level:
X-Spam-Status: No, score=-5.812 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntL3DeekLBEb for <oauth@core3.amsl.com>; Thu, 9 Sep 2010 15:39:11 -0700 (PDT)
Received: from na3sys009aog103.obsmtp.com (na3sys009aog103.obsmtp.com [74.125.149.71]) by core3.amsl.com (Postfix) with SMTP id D63B83A6953 for <oauth@ietf.org>; Thu, 9 Sep 2010 15:38:57 -0700 (PDT)
Received: from source ([209.85.161.54]) by na3sys009aob103.postini.com ([74.125.148.12]) with SMTP ID DSNKTIliHIXJR2cdz+4hP0KKxsuyOWn2flRW@postini.com; Thu, 09 Sep 2010 15:39:25 PDT
Received: by mail-fx0-f54.google.com with SMTP id 4so1974601fxm.27 for <oauth@ietf.org>; Thu, 09 Sep 2010 15:39:24 -0700 (PDT)
Received: by 10.223.120.132 with SMTP id d4mr357517far.3.1284071964140; Thu, 09 Sep 2010 15:39:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.114.10 with HTTP; Thu, 9 Sep 2010 15:38:54 -0700 (PDT)
In-Reply-To: <4C891EEA.80502@gmx.de>
References: <4C86BAF4.3060906@lodderstedt.net> <4C891EEA.80502@gmx.de>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 09 Sep 2010 16:38:54 -0600
Message-ID: <AANLkTinUBD77ZtaHOD5CSGv+XAUuzSS0+NeyM5KLyJ8K@mail.gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] I-D on token revocation submitted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 22:39:13 -0000
Isn't that kind of situation exactly the reason that access token revocation was made optional? Invalidation of access tokens on revocation of a refresh token is only a MUST, if the deployment already supports revocation of access tokens. And if revocation of access tokens is supported, I'd assume the deployment already has an efficient means of invalidating them. Editorial note: shouldn't the "must" in that text be a "MUST"? On Thu, Sep 9, 2010 at 11:52 AM, Stefanie Dronia <sDronia@gmx.de> wrote: > > Hallo Torsten, > > first of all thanks for providing this draft on the mailing list. > Except for the following words, the draft is consistent. It defines the end of a token's life cycle, intended by the user. > > While reading it, I think that the following part of chapter 2 (Token Revocation) might cause problems a a certain situation: > > "If the processed token is a refresh token and the authorization > server supports the revocation of access tokens, then the > authorization server must also invalidate all access tokens issued > for that refresh token." > > Situation: > Authz Server(s) and Resource Server(s) are separate systems that are set in an open triangle (no communication between them e.g. to verify access tokens). > > Problem: > How does the Resource Server(s) know that an access token was revoked and is not valid to access resources any more? > => Communication between the servers necessary > => benefit of open triangle architecture are lost for this case. > I think that this is a problem with large scale systems. > > Although, if there are several Authz Server(s) , then there has to be communication between there or a shared data base to assure that revoked (refresh) tokens are invalid. > > => Is this requirement really a MUST? > I don't think so. > > Any thoughts? > > Regards, > Stefanie > > > > > Am 08.09.2010 00:21, schrieb Torsten Lodderstedt: >> >> I just submited the first version of my I-D for token revocation. >> >> Link: https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >> >> The I-D proposes an additional endpoint, which can be used to revoke both refresh and access tokens. The objective is to enhance OAuth security by giving clients and users explicite control of the finalization of the token life cycle, e.g. to implement application logout or access authorization removal. >> >> Please take the time to review the document (2 pages, essentially) and give me feedback. My goal is that this draft becomes a working group document. >> >> regards, >> Torsten. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt