IETF Logo Mail Archive

Re: [OAUTH-WG] Access Token Response without expires_in

Paul Madsen <paul.madsen@gmail.com> Tue, 17 January 2012 17:53 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2FC621F8582 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 09:53:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flE8CFPtxVfZ for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 09:53:23 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id B32DC21F8572 for <oauth@ietf.org>; Tue, 17 Jan 2012 09:53:22 -0800 (PST)
Received: by bkbzs2 with SMTP id zs2so158627bkb.31 for <oauth@ietf.org>; Tue, 17 Jan 2012 09:53:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=N+6aAvTt78BTkqZRdxhnd/ldS606XxxWJ3CPeU0smUo=; b=SxSblWScTgDrA8E1vckXeEd5CuQGm5zwdLBbDZKyTZtS0UKXlsB+2QHkQLETp4+JUR y7L/+WlV2iKRFTEBkhPhja+ylnrcX4RkdyQG/tMm744qJfu6FANW/58q+yBXLFttfKK2 Z52eE/6Wg6ctqQ04JnyEt7vUp3J/wvNFo9pZg=
Received: by 10.205.131.2 with SMTP id ho2mr7244313bkc.36.1326822800804; Tue, 17 Jan 2012 09:53:20 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id ci12sm48702219bkb.13.2012.01.17.09.53.16 (version=SSLv3 cipher=OTHER); Tue, 17 Jan 2012 09:53:19 -0800 (PST)
Message-ID: <4F15B589.1060307@gmail.com>
Date: Tue, 17 Jan 2012 12:53:13 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET> <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <4F157659.7050701@gmail.com> <1451834425-1326818330-cardhu_decombobulator_blackberry.rim.net-253428785-@b4.c11.bise7.blackberry> <4F15A655.4060404@gmail.com> <2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com>
In-Reply-To: <2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com>
Content-Type: multipart/alternative; boundary="------------070806040106090805010303"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 17:53:24 -0000

thanks Torsten, but by the same logic we could say that each RS should 
document the lifetime of tokens it will accept and so the AS need not 
send expires_in .... - why rely on implicit understanding for one-time 
tokens when we dont for those that expire based on time?

I have no particular axe-to-grind here - just hoping for a consensus 
best practice for one-time tokens

paul

On 1/17/12 12:26 PM, Torsten Lodderstedt wrote:
> Hi Paul,
>
> that's not what I meant. The Client should know which tokens should be 
> one time usage based on the API description. The authz server must not 
> return expires_in because this would not make any sense in this case.
>
> regards,
> Torsten
>
>
>
>
> Paul Madsen <paul.madsen@gmail.com> schrieb:
>
>     Hi Torsten, yes the use case in question is payment-based as well.
>
>     Your suggestion for the client to infer one-time usage from a
>     missing expires_in contradicts the general consensus of this
>     thread does it not?
>
>     paul
>
>     On 1/17/12 11:38 AM, torsten@lodderstedt.net wrote:
>>     Hi,
>>
>>     isn't one-time semantics typically associated with certain requests on certain resources/resource types. I therefore would assume the client to know which tokens to use one-time only. The authz server should not return an expires_in paramter. We for example use one time access tokens for payment transactions.
>>
>>     What would such an extension specify?
>>
>>     regards,
>>     Torsten.
>>     Gesendet mit BlackBerry® Webmail von Telekom Deutschland
>>
>>     -----Original Message-----
>>     From: Paul Madsen<paul.madsen@gmail.com>
>>     Sender:oauth-bounces@ietf.org
>>     Date: Tue, 17 Jan 2012 08:23:37
>>     To: Richer, Justin P.<jricher@mitre.org>
>>     Cc: OAuth WG<oauth@ietf.org>
>>     Subject: Re: [OAUTH-WG] Access Token Response without expires_in
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org
>>     https://www.ietf.org/mailman/listinfo/oauth
>>

v2.30.2 | Report a Bug | By Email | System Status