Re: [OAUTH-WG] Single transaction token
William Mills <wmills@yahoo-inc.com> Tue, 08 November 2011 15:35 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE311E8083 for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 07:35:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.241
X-Spam-Level:
X-Spam-Status: No, score=-16.241 tagged_above=-999 required=5 tests=[AWL=-1.057, BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvAGQ3s9-+qw for <oauth@ietfa.amsl.com>; Tue, 8 Nov 2011 07:35:26 -0800 (PST)
Received: from nm20.bullet.mail.ne1.yahoo.com (nm20.bullet.mail.ne1.yahoo.com [98.138.90.83]) by ietfa.amsl.com (Postfix) with SMTP id BB3BA11E807F for <oauth@ietf.org>; Tue, 8 Nov 2011 07:35:26 -0800 (PST)
Received: from [98.138.90.48] by nm20.bullet.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000
Received: from [98.138.89.244] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000
Received: from [127.0.0.1] by omp1058.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 2819.95579.bm@omp1058.mail.ne1.yahoo.com
Received: (qmail 88451 invoked by uid 60001); 8 Nov 2011 15:35:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320766520; bh=TRyrCW+gRJCb8jkWHJlIolBeBGtlGzyPCaU2wrJ31gU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=I7CS3oHsCUAPA+VvlmUdGTavYXdDnH9Li5iYTLu97htgxzOYC2OCfFxeQgxYluqTnWNrjlr8MP2yA/2AsrHE7fu0pPunBn6555kqpu2UP1P/PCDY8UkGqcvrgsnOJr/WpQphWwPZE6s46l54TU73a9J+6Nqz5q/gX+Kx7iNa+x0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=hhhIapydFmWlB6GZVpgF0SgR+Zh+dgTNNEYFdW6ImccgKAlH+RJIbQLRMp6A/7kWXCuKNkShI+Js0WRX3aPwpioXCWZYlDlBszD6eBvgfzDKk/ReHWycLuA6emazw7m7eikEdlu7E0SznMo/esx5e037cAJOdC+CTXPUqIVoct0=;
X-YMail-OSG: JvMUSUgVM1npdiqQCTDQS0hX7uvuT0YC6xgYuSF_0vmJDHu Dbm.6rjPDpIBXvp.K439rb4qSD0uY9Gtxlch_r3I459OyQ8viBGtlE.ZG3PW P3zybUQajqtEiKoNvS2g.EOu3aMWq9nA.z_rQ1OiH1d_ndMNozaiefNTl0DV 0hulehPZ4gPHxChWVwRU5pKmdDrvf3mcXU0OH59c4yG11_j57a2a.527Q1K6 sLeHyNR79vvVbm77oIWAC4M7L9nPGCbeOsMONtt3W64YbybwKSXYJ.Aj8his bo_Pxq2EYhwqWeJMSTYuXEYMM21OxnQGLr61g7Ejxd6bh1YDpzFBn5F8N9kJ 0KgOKtY5izgjyDi61.L60re9uuiuVfjb5htX6zeC9MLyqL.4yt2Lpy8qyuUb xLzJv34WfPPQm3RbUmA--
Received: from [99.31.212.42] by web31816.mail.mud.yahoo.com via HTTP; Tue, 08 Nov 2011 07:35:20 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.325013
References: <C1468D5F-052D-4D14-919E-A0465156A780@semantico.com>
Message-ID: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Tue, 08 Nov 2011 07:35:20 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Declan Newman <declan.newman@semantico.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <C1468D5F-052D-4D14-919E-A0465156A780@semantico.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1238014912-75648340-1320766520=:68585"
Subject: Re: [OAUTH-WG] Single transaction token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 15:35:27 -0000
The problem is that the token has no state about the transaction. Is the transaction already determined when the token is issued? If so then put the transaction dat ain the token and make it non-repeatable. If this is an auth token for an arbitrary single action you have to put some form of replay protection on the protected resource, or you can immediately revoke the token after use against a revocation API and make sure the RP is checking for revoked tokens against the same API/endpoint. You do have a race here, so you have to sort out what you'll make synchronous calls against for this. Regards, -bill ________________________________ From: Declan Newman <declan.newman@semantico.com> To: oauth@ietf.org Cc: Will Simpson <will.simpson@semantico.com>; Geoffrey Bilder <gbilder@crossref.org> Sent: Tuesday, November 8, 2011 1:58 AM Subject: [OAUTH-WG] Single transaction token Hello, We're currently implementing OAuth 2 provider for a client, whom needs to have the facility to authenticate/authorise a client to update in a single transaction. Is there a way to specify the validity of a token on a per-transaction basis, as opposed to a timeframe? Any help much appreciated. Regards, Dec ---------------------------------------------------------------------------- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE <mailto:Declan.Newman@semantico.com> <tel:+44-1273-358247> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token Eran Hammer-Lahav
- Re: [OAUTH-WG] Single transaction token William Mills
- Re: [OAUTH-WG] Single transaction token Declan Newman
- Re: [OAUTH-WG] Single transaction token William Mills