Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
Justin Richer <jricher@mitre.org> Tue, 12 June 2012 13:37 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9568E21F8541 for <oauth@ietfa.amsl.com>; Tue, 12 Jun 2012 06:37:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URSa5Vh4p94Y for <oauth@ietfa.amsl.com>; Tue, 12 Jun 2012 06:37:01 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B7D0821F85A1 for <oauth@ietf.org>; Tue, 12 Jun 2012 06:37:00 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1624521B0F2F for <oauth@ietf.org>; Tue, 12 Jun 2012 09:37:00 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 09C3521B0F1B for <oauth@ietf.org>; Tue, 12 Jun 2012 09:37:00 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.283.3; Tue, 12 Jun 2012 09:36:59 -0400
Message-ID: <4FD745EE.1040508@mitre.org>
Date: Tue, 12 Jun 2012 09:36:46 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAA=QE7P_Mmak9_OvqQ4V33e-UHP-n_8oPNiHiYsx=P4syeDz-Q@mail.gmail.com> <4FD65080.9040305@gmail.com> <4FD65ED8.6000507@aol.com> <EA05C2C5-4472-4EC8-92EC-92700BBD25E8@gmail.com> <CAA=QE7PeMYb8mkqG+d_27NNDM+01OynoWZBAaSHdKPT4_K-VOQ@mail.gmail.com>
In-Reply-To: <CAA=QE7PeMYb8mkqG+d_27NNDM+01OynoWZBAaSHdKPT4_K-VOQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000401020106070701040202"
X-Originating-IP: [129.83.31.51]
Subject: Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 13:37:03 -0000
I agree with Doug and George's reading: nuking the refresh token gets rid of all access tokens associated with that refresh token's lifetime. This includes both simultaneous issuance as well as derived issuance. -- Justin On 06/11/2012 08:13 PM, doug foiles wrote: > Hi Paul and George, > Even though the Access Token is short lived, I would still like to > revoke it immediately if the user chooses to revoke the Refresh > Token. And I would love for the client application to only have to > make one web service call to accomplish that and not one for the > Refresh Token and another for the Access Token. > Given that we always generate a new Refresh Token value during "Token > Refresh", we would never have a true parent / child relationship > between a Refresh Token and Access Token. > Is there a case where it is NOT appropriate to revoke an "associated" > Access Token when explictly revoking a Refresh Token? I define > "associated" as an Access Token generated from a Refresh Token OR > generated at the same time of the Refresh Token. > I do see the AS challenges in trying to manage multiple > simultaneous "associated" Access Tokens. For example let's say a > client generates multiple Access Tokens at the same time while > generating new Refresh Token values during each "Token Refresh" > operation. However I don't really see the useful of this case. > Doug > > On Mon, Jun 11, 2012 at 3:52 PM, Paul Madsen <paul.madsen@gmail.com > <mailto:paul.madsen@gmail.com>> wrote: > > Hi George, perhaps it depends on the reason for the refresh token > being revoked. If because the user removed their consent then yes > I agree that *all* tokens should be revoked > > Sent from my iPhone > > On 2012-06-11, at 5:10 PM, George Fletcher <gffletch@aol.com > <mailto:gffletch@aol.com>> wrote: > >> Paul, >> >> I think I came to a different conclusion... >> >> If I use the Resource Owner Password Credential flow and get back >> both an access_token and a refresh_token then I would assume that >> the issued access_token is tied in some way to the refresh_token. >> If the refresh_token is revoked, then my expectation is that the >> simultaneous issued access_token would also be revoked. >> >> I read the spec as having a typo that should read... >> If the processed token is a refresh token and the authorization >> server supports the revocation of access tokens, then the >> authorization server SHOULD also invalidate all access tokens issued >> *based on* that refresh token. >> Or maybe better... "invalidate all access tokens >> associated/tied-to that refresh token". >> >> Now in the case that the client is retrieving a new refresh_token >> and access_token, then the new ones should be valid and the old >> ones potentially revoked. >> >> Thanks, >> George >> >> On 6/11/12 4:09 PM, Paul Madsen wrote: >>> Hi Doug, my interpretation is that 'for that refresh token' >>> means those access tokens issued in exchange for that refresh >>> token. >>> >>> Consequently, for the cases you cite below, the access tokens at >>> the same time as a given refresh token need not be invalidated >>> when that refresh token is 'processed' >>> >>> I assume the justification for the rule is that an access token >>> issued in exchange for a given refresh token may have been >>> compromised if the refresh token had been. But there is no such >>> causal relationship between an access token & refresh token >>> issued at same time >>> >>> paul >>> >>> On 6/11/12 3:31 PM, doug foiles wrote: >>>> Hi all, >>>> >>>> I was hoping to get some clarity on a statement in section 2.0 >>>> of draft-ietf-oauth-revocation-00. >>>> >>>> If the processed token is a refresh token and the authorization >>>> server supports the revocation of access tokens, then the >>>> authorization server SHOULD also invalidate all access tokens >>>> issued >>>> for that refresh token. >>>> >>>> My question is on the statement "access tokens issued for that >>>> refresh token". What does it mean to have an Access Token >>>> "issued" for a Refresh Token? >>>> >>>> This specific case is clear to me. I am refreshing an Access >>>> Token where I keep the same Refresh Token that I used to >>>> generate the new Access Token. I see the new Access Token was >>>> issued for that Refresh Token. >>>> However these two cases are a bit muddy to me. Let's say I am >>>> using the "Resource Owner Password Credentials Grant" where the >>>> Access Token Response returns both an Access Token and Refresh >>>> Token. Would the Access Token have been issued for that Refresh >>>> Token? And let's say I am refreshing an Access Token but choose >>>> to create a new Refresh Token and immediately revoke the >>>> original Refresh Token. Would the newly created Access Token >>>> have been issued for the original Refresh Token or the new one >>>> that was created. >>>> If a client would revoke a Refresh Token ... I would like the >>>> Access Tokens in all of the above cases to be automatically >>>> revoked as well. I just want to make sure I understand the >>>> model. Thanks. >>>> Doug Foiles >>>> Intuit >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Clarification in Section 2.0 of draft-… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… George Fletcher
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Justin Richer
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Torsten Lodderstedt
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… Paul Madsen
- Re: [OAUTH-WG] Clarification in Section 2.0 of dr… doug foiles