Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id D2FC621F8582 for <oauth@ietfa.amsl.com>;
 Tue, 17 Jan 2012 09:53:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level: 
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5
 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flE8CFPtxVfZ for
 <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 09:53:23 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com
 [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id B32DC21F8572 for
 <oauth@ietf.org>; Tue, 17 Jan 2012 09:53:22 -0800 (PST)
Received: by bkbzs2 with SMTP id zs2so158627bkb.31 for <oauth@ietf.org>;
 Tue, 17 Jan 2012 09:53:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-type;
 bh=N+6aAvTt78BTkqZRdxhnd/ldS606XxxWJ3CPeU0smUo=;
 b=SxSblWScTgDrA8E1vckXeEd5CuQGm5zwdLBbDZKyTZtS0UKXlsB+2QHkQLETp4+JUR
 y7L/+WlV2iKRFTEBkhPhja+ylnrcX4RkdyQG/tMm744qJfu6FANW/58q+yBXLFttfKK2
 Z52eE/6Wg6ctqQ04JnyEt7vUp3J/wvNFo9pZg=
Received: by 10.205.131.2 with SMTP id ho2mr7244313bkc.36.1326822800804;
 Tue, 17 Jan 2012 09:53:20 -0800 (PST)
Received: from pmadsen-mbp.local
 (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159])
 by mx.google.com with ESMTPS id ci12sm48702219bkb.13.2012.01.17.09.53.16
 (version=SSLv3 cipher=OTHER); Tue, 17 Jan 2012 09:53:19 -0800 (PST)
Message-ID: <4F15B589.1060307@gmail.com>
Date: Tue, 17 Jan 2012 12:53:13 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <90C41DD21FB7C64BB94121FBBC2E723453A754C549@P3PW5EX1MB01.EX1.SECURESERVER.NET>
 <E4309A9E-9BC7-4547-918A-224B6233B25C@mitre.org> <4F157659.7050701@gmail.com>
 <1451834425-1326818330-cardhu_decombobulator_blackberry.rim.net-253428785-@b4.c11.bise7.blackberry>
 <4F15A655.4060404@gmail.com>
 <2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com>
In-Reply-To: <2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com>
Content-Type: multipart/alternative;
 boundary="------------070806040106090805010303"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 17:53:24 -0000

This is a multi-part message in MIME format.
--------------070806040106090805010303
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

thanks Torsten, but by the same logic we could say that each RS should 
document the lifetime of tokens it will accept and so the AS need not 
send expires_in .... - why rely on implicit understanding for one-time 
tokens when we dont for those that expire based on time?

I have no particular axe-to-grind here - just hoping for a consensus 
best practice for one-time tokens

paul

On 1/17/12 12:26 PM, Torsten Lodderstedt wrote:
> Hi Paul,
>
> that's not what I meant. The Client should know which tokens should be 
> one time usage based on the API description. The authz server must not 
> return expires_in because this would not make any sense in this case.
>
> regards,
> Torsten
>
>
>
>
> Paul Madsen <paul.madsen@gmail.com> schrieb:
>
>     Hi Torsten, yes the use case in question is payment-based as well.
>
>     Your suggestion for the client to infer one-time usage from a
>     missing expires_in contradicts the general consensus of this
>     thread does it not?
>
>     paul
>
>     On 1/17/12 11:38 AM, torsten@lodderstedt.net wrote:
>>     Hi,
>>
>>     isn't one-time semantics typically associated with certain requests on certain resources/resource types. I therefore would assume the client to know which tokens to use one-time only. The authz server should not return an expires_in paramter. We for example use one time access tokens for payment transactions.
>>
>>     What would such an extension specify?
>>
>>     regards,
>>     Torsten.
>>     Gesendet mit BlackBerry® Webmail von Telekom Deutschland
>>
>>     -----Original Message-----
>>     From: Paul Madsen<paul.madsen@gmail.com>
>>     Sender:oauth-bounces@ietf.org
>>     Date: Tue, 17 Jan 2012 08:23:37
>>     To: Richer, Justin P.<jricher@mitre.org>
>>     Cc: OAuth WG<oauth@ietf.org>
>>     Subject: Re: [OAUTH-WG] Access Token Response without expires_in
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org
>>     https://www.ietf.org/mailman/listinfo/oauth
>>

--------------070806040106090805010303
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Arial">thanks Torsten, but by the same logic we could
      say that each RS should document the lifetime of tokens it will
      accept and so the AS need not send expires_in .... - why rely on
      implicit understanding for one-time tokens when we dont for those
      that expire based on time?</font><br>
    <br>
    I have no particular axe-to-grind here - just hoping for a consensus
    best practice for one-time tokens<br>
    <br>
    paul<br>
    <br>
    On 1/17/12 12:26 PM, Torsten Lodderstedt wrote:
    <blockquote
      cite="mid:2fc6806a-8a15-4b97-87f2-3c0c0cbd3623@email.android.com"
      type="cite">
      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
      Hi Paul,<br>
      <br>
      that's not what I meant. The Client should know which tokens
      should be one time usage based on the API description. The authz
      server must not return expires_in because this would not make any
      sense in this case.<br>
      <br>
      regards,<br>
      Torsten<br>
      <br>
      <br>
      <div class="gmail_quote"><br>
        <br>
        Paul Madsen <a class="moz-txt-link-rfc2396E" href="mailto:paul.madsen@gmail.com">&lt;paul.madsen@gmail.com&gt;</a> schrieb:
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;"> <font face="Arial">Hi Torsten, yes the
            use case in question is payment-based as well. <br>
            <br>
            Your suggestion for the client to infer one-time usage from
            a missing expires_in contradicts the general consensus of
            this thread does it not?<br>
            <br>
            paul<br>
          </font><br>
          On 1/17/12 11:38 AM, <a moz-do-not-send="true"
            class="moz-txt-link-abbreviated"
            href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>
          wrote:
          <blockquote
cite="mid:1451834425-1326818330-cardhu_decombobulator_blackberry.rim.net-253428785-@b4.c11.bise7.blackberry"
            type="cite">
            <pre wrap="">Hi,

isn't one-time semantics typically associated with certain requests on certain resources/resource types. I therefore would assume the client to know which tokens to use one-time only. The authz server should not return an expires_in paramter. We for example use one time access tokens for payment transactions.  

What would such an extension specify?

regards,
Torsten.
Gesendet mit BlackBerry® Webmail von Telekom Deutschland  

-----Original Message-----
From: Paul Madsen <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:paul.madsen@gmail.com">&lt;paul.madsen@gmail.com&gt;</a>
Sender: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a>
Date: Tue, 17 Jan 2012 08:23:37 
To: Richer, Justin P.<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a>
Cc: OAuth WG<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:oauth@ietf.org">&lt;oauth@ietf.org&gt;</a>
Subject: Re: [OAUTH-WG] Access Token Response without expires_in

_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

</pre>
          </blockquote>
        </blockquote>
      </div>
    </blockquote>
  </body>
</html>

--------------070806040106090805010303--