Re: [OAUTH-WG] Refresh Tokens
Barry Leiba <barryleiba@computer.org> Fri, 12 August 2011 01:00 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA88021F8B5C for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 18:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.043
X-Spam-Level:
X-Spam-Status: No, score=-103.043 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5ALHPZPXvV3 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 18:00:19 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 48DA421F8B58 for <oauth@ietf.org>; Thu, 11 Aug 2011 18:00:19 -0700 (PDT)
Received: by gyf3 with SMTP id 3so1989126gyf.31 for <oauth@ietf.org>; Thu, 11 Aug 2011 18:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=XItTh9XoS7tPXU6yX9dZP+zaa2dR+Tehjki5/eTgoCI=; b=D1FlpHLumKfe7kFkWFDNKFzSJEp5Nnvo9wxkNUBCLfJLGP90bhDsxCx9kmsjotYKh/ Ms2WpLqvNg2VKZbrRcpsYIDyqayKA+hkYnJvPXlsmr//9LW3rEnsFvSegm24lt/RqtPt EksdBOjViNTlGzO6kytYoy6bU3DNWIPTKte6E=
MIME-Version: 1.0
Received: by 10.236.170.165 with SMTP id p25mr973906yhl.143.1313110854789; Thu, 11 Aug 2011 18:00:54 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.181.13 with HTTP; Thu, 11 Aug 2011 18:00:54 -0700 (PDT)
In-Reply-To: <CA+5SmTWd0+s2=GbkPMDq1XQ+HBTcTCoX8mPwHmGhQGAcNahJNQ@mail.gmail.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA698D45.17CCD%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com> <3CA3D010-E3C1-44A7-BC08-5FA3C83F305A@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A115@SN2PRD0302MB137.namprd03.prod.outlook.com> <90DA4C9C-83E1-4D78-BD6E-340084B4E912@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B8A1F6@SN2PRD0302MB137.namprd03.prod.outlook.com> <1313105180.20903.YahooMailNeo@web31803.mail.mud.yahoo.com> <D76A379A-A43F-4742-9488-D64FF2A931AE@hueniverse.com> <CA+5SmTWd0+s2=GbkPMDq1XQ+HBTcTCoX8mPwHmGhQGAcNahJNQ@mail.gmail.com>
Date: Thu, 11 Aug 2011 21:00:54 -0400
X-Google-Sender-Auth: WdfmuzQ3BrODNdmo62-TqrfLskk
Message-ID: <CAC4RtVBSA1H_40nUVRnJD0_cwRQedJE13TTXNuCUx1QQud9wcQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 01:00:19 -0000
This seems to need a chair to step in. Tony is taking a strong stand and maintaining it: On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin <tonynad@microsoft.com> wrote: > Nowhere in the specification is there explanation for refresh tokens, The > reason that the Refresh token was introduced was for anonymity. The scenario > is that a client asks the user for access. The user wants to grant the > access but not tell the client the user's identity. By issuing the refresh > token as an 'identifier' for the user (as well as other context data like > the resource) it's possible now to let the client get access without > revealing anything about the user. Recommend that the above explanation be > included so developers understand why the refresh tokens are there. So far, though it's been only half a day, I've seen several posts disagreeing with Tony, and none supporting any change to the text for this. We're close to ending WGLC, so please post here if you agree with Tony's suggested change. Otherwise, it looks like consensus is against. Barry, as chair
- [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Justin Richer
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Peter Saint-Andre
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Dick Hardt
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Anthony Nadalin
- Re: [OAUTH-WG] Refresh Tokens William J. Mills
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh Tokens David Recordon
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Barry Leiba
- Re: [OAUTH-WG] Refresh Tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh Tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh Tokens Aiden Bell
- Re: [OAUTH-WG] Refresh Tokens Igor Faynberg