Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
George Fletcher <gffletch@aol.com> Mon, 11 June 2012 21:11 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C0521F845C for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 14:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.739
X-Spam-Level:
X-Spam-Status: No, score=-0.739 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCN7e+vS1qO3 for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 14:11:00 -0700 (PDT)
Received: from imr-da04.mx.aol.com (imr-da04.mx.aol.com [205.188.105.146]) by ietfa.amsl.com (Postfix) with ESMTP id 78C7F21F844E for <oauth@ietf.org>; Mon, 11 Jun 2012 14:11:00 -0700 (PDT)
Received: from mtaout-mb03.r1000.mx.aol.com (mtaout-mb03.r1000.mx.aol.com [172.29.41.67]) by imr-da04.mx.aol.com (8.14.1/8.14.1) with ESMTP id q5BLAnwI009663; Mon, 11 Jun 2012 17:10:49 -0400
Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id BE629E0001EA; Mon, 11 Jun 2012 17:10:48 -0400 (EDT)
Message-ID: <4FD65ED8.6000507@aol.com>
Date: Mon, 11 Jun 2012 17:10:48 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAA=QE7P_Mmak9_OvqQ4V33e-UHP-n_8oPNiHiYsx=P4syeDz-Q@mail.gmail.com> <4FD65080.9040305@gmail.com>
In-Reply-To: <4FD65080.9040305@gmail.com>
Content-Type: multipart/alternative; boundary="------------070703000700030003040407"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1339449048; bh=vKl1zYSfJRMVViEIdpOGYcsnOQ6mjG3iHB97qnsCYOI=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=G2mYAn74z8s/oxxq+6nu8dBTFBjLBl6fDz+zijyyxhM/xINbxU1l/xgZCXznvlxfG oghZKjH0VvevYN4jxFgy721w7PUcMaXfQmNf62Fzr3IojL2ssOfJVkEbmhjX990Tel jYsYxaRCNJNenU8mIp/ZJ0pkoFW15Ee/L3S9TenQ=
X-AOL-SCOLL-SCORE: 0:2:486304704:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d29434fd65ed84265
X-AOL-IP: 10.181.186.254
Subject: Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 21:11:05 -0000
Paul, I think I came to a different conclusion... If I use the Resource Owner Password Credential flow and get back both an access_token and a refresh_token then I would assume that the issued access_token is tied in some way to the refresh_token. If the refresh_token is revoked, then my expectation is that the simultaneous issued access_token would also be revoked. I read the spec as having a typo that should read... If the processed token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens issued *based on* that refresh token. Or maybe better... "invalidate all access tokens associated/tied-to that refresh token". Now in the case that the client is retrieving a new refresh_token and access_token, then the new ones should be valid and the old ones potentially revoked. Thanks, George On 6/11/12 4:09 PM, Paul Madsen wrote: > Hi Doug, my interpretation is that 'for that refresh token' means > those access tokens issued in exchange for that refresh token. > > Consequently, for the cases you cite below, the access tokens at the > same time as a given refresh token need not be invalidated when that > refresh token is 'processed' > > I assume the justification for the rule is that an access token issued > in exchange for a given refresh token may have been compromised if the > refresh token had been. But there is no such causal relationship > between an access token & refresh token issued at same time > > paul > > On 6/11/12 3:31 PM, doug foiles wrote: >> Hi all, >> >> I was hoping to get some clarity on a statement in section 2.0 of >> draft-ietf-oauth-revocation-00. >> >> If the processed token is a refresh token and the authorization >> server supports the revocation of access tokens, then the >> authorization server SHOULD also invalidate all access tokens issued >> for that refresh token. >> >> My question is on the statement "access tokens issued for that >> refresh token". What does it mean to have an Access Token "issued" >> for a Refresh Token? >> >> This specific case is clear to me. I am refreshing an Access Token >> where I keep the same Refresh Token that I used to generate the new >> Access Token. I see the new Access Token was issued for that Refresh >> Token. >> However these two cases are a bit muddy to me. Let's say I am using >> the "Resource Owner Password Credentials Grant" where the Access >> Token Response returns both an Access Token and Refresh Token. Would >> the Access Token have been issued for that Refresh Token? And let's >> say I am refreshing an Access Token but choose to create a new >> Refresh Token and immediately revoke the original Refresh Token. >> Would the newly created Access Token have been issued for the >> original Refresh Token or the new one that was created. >> If a client would revoke a Refresh Token ... I would like the Access >> Tokens in all of the above cases to be automatically revoked as well. >> I just want to make sure I understand the model. Thanks. >> Doug Foiles >> Intuit >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Clarification in Section 2.0 of draft-… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… George Fletcher
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Justin Richer
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Torsten Lodderstedt
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles