IETF Logo Mail Archive

Re: [OAUTH-WG] Token expiration

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 21 September 2009 23:17 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED51F3A67F0 for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 16:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.161
X-Spam-Level:
X-Spam-Status: No, score=-4.161 tagged_above=-999 required=5 tests=[AWL=-1.563, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StmNVx9qQu2o for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 16:17:22 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 8DDA93A67D6 for <oauth@ietf.org>; Mon, 21 Sep 2009 16:17:22 -0700 (PDT)
Received: (qmail 18769 invoked from network); 21 Sep 2009 23:18:24 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 21 Sep 2009 23:18:23 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 21 Sep 2009 16:18:23 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Chris Messina <chris.messina@gmail.com>, Hubert Le Van Gong <hubertlvg@gmail.com>
Date: Mon, 21 Sep 2009 16:17:51 -0700
Thread-Topic: [OAUTH-WG] Token expiration
Thread-Index: Aco7CfvaYrz575KkRp2bIIT+WUSeDAAB6GsA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343784D584D3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D584A3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <6c0fd2bc0909211441o3eacc564t2917cf5b94f99800@mail.gmail.com> <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com>
In-Reply-To: <1bc4603e0909211522h2f659866v48ff9dcee9294b7a@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343784D584D3P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token expiration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 23:17:28 -0000

Yahoo uses 'oauth_expires_in' as specified in the session extension [1] (which we plan to submit as an I-D shortly).

EHL

[1] http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Chris Messina
Sent: Monday, September 21, 2009 3:22 PM
To: Hubert Le Van Gong
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Token expiration

Seems like it'd be worth documenting existing approaches to this... what do other similar APIs do?

I know I harp on this approach to technology development, but that was how OAuth was developed (for better or worse): by looking at existing practices, extracting convention, and codifying ]ideally] best practices.

If this is common and working elsewhere, can't we just imitate it?

Chris

On Mon, Sep 21, 2009 at 2:41 PM, Hubert Le Van Gong <hubertlvg@gmail.com<mailto:hubertlvg@gmail.com>> wrote:
It is obviously useful to have. In fact it's so useful I'll bet most
token format
used do include one. Having it outside the token becomes redundant then but
maybe it's not that bad.

BTW why not using dateTime (http://www.w3.org/TR/xmlschema-2/#dateTime)?

Cheers,
Hubert


On Mon, Sep 21, 2009 at 11:25 PM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
> Should the core spec support the ability to indicate the duration of token credentials? This would be an addition to the web delegation draft [1] in section 6 (Token Credentials) in the form of a new response parameter, something like:
>
> oauth_token_duration
>    The token duration specified in second from the time of the HTTP response timestamp.
>
> This has been consistently at the top of missing core funcationality.
>
>
> EHL
>
> [1] http://tools.ietf.org/html/draft-ietf-oauth-web-delegation-01
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private

v2.23.0 | Report a Bug | By Email