Re: [OAUTH-WG] I-D on token revocation submitted
Brian Campbell <bcampbell@pingidentity.com> Tue, 14 September 2010 22:32 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D86B33A6807 for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 15:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.839
X-Spam-Level:
X-Spam-Status: No, score=-5.839 tagged_above=-999 required=5 tests=[AWL=0.138, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rI3JbISZibk2 for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 15:32:22 -0700 (PDT)
Received: from na3sys009aog105.obsmtp.com (na3sys009aog105.obsmtp.com [74.125.149.75]) by core3.amsl.com (Postfix) with SMTP id BC04C3A6B42 for <oauth@ietf.org>; Tue, 14 Sep 2010 15:32:19 -0700 (PDT)
Received: from source ([209.85.214.43]) by na3sys009aob105.postini.com ([74.125.148.12]) with SMTP ID DSNKTI/4Datvou8vehk9diO05FRx0L0LzMTj@postini.com; Tue, 14 Sep 2010 15:32:46 PDT
Received: by mail-bw0-f43.google.com with SMTP id 16so7353740bwz.16 for <oauth@ietf.org>; Tue, 14 Sep 2010 15:32:45 -0700 (PDT)
Received: by 10.223.108.81 with SMTP id e17mr248499fap.28.1284503565063; Tue, 14 Sep 2010 15:32:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.113.3 with HTTP; Tue, 14 Sep 2010 15:32:15 -0700 (PDT)
In-Reply-To: <4C8CA7C4.5050809@lodderstedt.net>
References: <4C86BAF4.3060906@lodderstedt.net> <4C891EEA.80502@gmx.de> <AANLkTinUBD77ZtaHOD5CSGv+XAUuzSS0+NeyM5KLyJ8K@mail.gmail.com> <4C8BB3E7.7090606@gmx.de> <4C8CA7C4.5050809@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 14 Sep 2010 16:32:15 -0600
Message-ID: <AANLkTim5N1hZb92P9SEr-NWqHMWakeSE_hxYG--pHseQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D on token revocation submitted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 22:32:44 -0000
So is my understanding of the draft incorrect? I read it to say that direct access token revocation is optional but, if supported, then all associated assess tokens must also be revoked on a revocation of a refresh token. On Sun, Sep 12, 2010 at 4:13 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Stefanie, > > thanks for your comments. > > I think there is a subtle difference between revoking access tokens directly > and indirectly via refresh tokens. In the later case, the authorization > server needs to keep track of the relation between refresh and access tokens > (somewhere in a database), whereas the relation between access and refresh > token could be kept in the access token only. > > regards, > Torsten. > > Am 11.09.2010 18:52, schrieb Stefanie Dronia: >> >> Hi Brain, >> >> yes, you are right. I just went over that condition. >> >> On the other hand, this implies to me, that access token revocation is not >> possible in a constellation as described before. >> >> Regards, >> Stefanie >> >> Am 10.09.2010 00:38, schrieb Brian Campbell: >>> >>> Isn't that kind of situation exactly the reason that access token >>> revocation was made optional? Invalidation of access tokens on >>> revocation of a refresh token is only a MUST, if the deployment >>> already supports revocation of access tokens. And if revocation of >>> access tokens is supported, I'd assume the deployment already has an >>> efficient means of invalidating them. >>> >>> Editorial note: shouldn't the "must" in that text be a "MUST"? >>> >>> On Thu, Sep 9, 2010 at 11:52 AM, Stefanie Dronia<sDronia@gmx.de> wrote: >>>> >>>> Hallo Torsten, >>>> >>>> first of all thanks for providing this draft on the mailing list. >>>> Except for the following words, the draft is consistent. It defines the >>>> end of a token's life cycle, intended by the user. >>>> >>>> While reading it, I think that the following part of chapter 2 (Token >>>> Revocation) might cause problems a a certain situation: >>>> >>>> "If the processed token is a refresh token and the authorization >>>> server supports the revocation of access tokens, then the >>>> authorization server must also invalidate all access tokens issued >>>> for that refresh token." >>>> >>>> Situation: >>>> Authz Server(s) and Resource Server(s) are separate systems that are set >>>> in an open triangle (no communication between them e.g. to verify access >>>> tokens). >>>> >>>> Problem: >>>> How does the Resource Server(s) know that an access token was revoked >>>> and is not valid to access resources any more? >>>> => Communication between the servers necessary >>>> => benefit of open triangle architecture are lost for this case. >>>> I think that this is a problem with large scale systems. >>>> >>>> Although, if there are several Authz Server(s) , then there has to be >>>> communication between there or a shared data base to assure that revoked >>>> (refresh) tokens are invalid. >>>> >>>> => Is this requirement really a MUST? >>>> I don't think so. >>>> >>>> Any thoughts? >>>> >>>> Regards, >>>> Stefanie >>>> >>>> >>>> >>>> >>>> Am 08.09.2010 00:21, schrieb Torsten Lodderstedt: >>>>> >>>>> I just submited the first version of my I-D for token revocation. >>>>> >>>>> Link: >>>>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >>>>> >>>>> The I-D proposes an additional endpoint, which can be used to revoke >>>>> both refresh and access tokens. The objective is to enhance OAuth security >>>>> by giving clients and users explicite control of the finalization of the >>>>> token life cycle, e.g. to implement application logout or access >>>>> authorization removal. >>>>> >>>>> Please take the time to review the document (2 pages, essentially) and >>>>> give me feedback. My goal is that this draft becomes a working group >>>>> document. >>>>> >>>>> regards, >>>>> Torsten. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Stefanie Dronia
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt
- Re: [OAUTH-WG] I-D on token revocation submitted Brian Campbell
- Re: [OAUTH-WG] I-D on token revocation submitted Torsten Lodderstedt