Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Anthony Nadalin <tonynad@microsoft.com> Wed, 23 January 2013 23:56 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF4C21F8555 for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 15:56:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38vuUp+leVyb for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 15:56:52 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.32]) by ietfa.amsl.com (Postfix) with ESMTP id E314421F8549 for <oauth@ietf.org>; Wed, 23 Jan 2013 15:56:51 -0800 (PST)
Received: from BL2FFO11FD003.protection.gbl (10.173.161.204) by BL2FFO11HUB026.protection.gbl (10.173.161.50) with Microsoft SMTP Server (TLS) id 15.0.596.13; Wed, 23 Jan 2013 23:56:48 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD003.mail.protection.outlook.com (10.173.160.103) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Wed, 23 Jan 2013 23:56:47 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 23 Jan 2013 23:56:08 +0000
Received: from mail137-co1-R.bigfish.com (10.243.78.215) by CO1EHSOBE021.bigfish.com (10.243.66.84) with Microsoft SMTP Server id 14.1.225.23; Wed, 23 Jan 2013 23:54:39 +0000
Received: from mail137-co1 (localhost [127.0.0.1]) by mail137-co1-R.bigfish.com (Postfix) with ESMTP id 33A0D3800D6 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 23 Jan 2013 23:54:39 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: 5
X-BigFish: PS5(zzc85fhzz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz17326ah8275dh18c673h8275bhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail137-co1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT002.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB043; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail137-co1 (localhost.localdomain [127.0.0.1]) by mail137-co1 (MessageSwitch) id 1358985276342476_31989; Wed, 23 Jan 2013 23:54:36 +0000 (UTC)
Received: from CO1EHSMHS014.bigfish.com (unknown [10.243.78.209]) by mail137-co1.bigfish.com (Postfix) with ESMTP id 476E044020A for <oauth@ietf.org>; Wed, 23 Jan 2013 23:54:36 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by CO1EHSMHS014.bigfish.com (10.243.66.24) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 23 Jan 2013 23:54:36 +0000
Received: from BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.257.4; Wed, 23 Jan 2013 23:54:35 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB043.namprd03.prod.outlook.com (10.255.241.147) with Microsoft SMTP Server (TLS) id 15.0.601.3; Wed, 23 Jan 2013 23:54:22 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) with mapi id 15.00.0601.000; Wed, 23 Jan 2013 23:54:03 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: draft-ietf-oauth-revocation-04 Review
Thread-Index: Ac35p+wOnP9UzK9BQMG59YbBjTobdAAHPkAQ
Date: Wed, 23 Jan 2013 23:54:03 +0000
Message-ID: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.156.132]
Content-Type: multipart/alternative; boundary="_000_a7b55ec383284cee83ff199f0057acbbBY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB043.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(63696002)(56776001)(31966008)(76482001)(44976002)(56816002)(5343635001)(33646001)(74502001)(15202345001)(5343655001)(54356001)(512954001)(74662001)(53806001)(47446002)(54316002)(59766001)(49866001)(4396001)(6806001)(77982001)(47736001)(51856001)(47976001)(79102001)(50986001)(16236675001)(46102001)(16676001)(6816006)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB026; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:; A:1; MX:3; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073515755F
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 23:56:53 -0000

Review:


1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?

2.       Any token type that is supported can be revoked, including refresh token ?

3.       Why does one have to send the token, can't this just be an auth_code ?

4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS

5.       Does not say but is the revocation to be immediate upon the return of the request ?

6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?

7.       Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.