IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh Tokens

"William J. Mills" <wmills@yahoo-inc.com> Thu, 11 August 2011 21:00 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56ED921F8BB5 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 14:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.066
X-Spam-Level:
X-Spam-Status: No, score=-17.066 tagged_above=-999 required=5 tests=[AWL=0.532, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id en9McIMOEuVh for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 14:00:20 -0700 (PDT)
Received: from nm30-vm0.bullet.mail.sp2.yahoo.com (nm30-vm0.bullet.mail.sp2.yahoo.com [98.139.91.238]) by ietfa.amsl.com (Postfix) with SMTP id 5B61F21F8BB0 for <oauth@ietf.org>; Thu, 11 Aug 2011 14:00:20 -0700 (PDT)
Received: from [98.139.91.66] by nm30.bullet.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 21:00:50 -0000
Received: from [98.139.91.32] by tm6.bullet.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 21:00:49 -0000
Received: from [127.0.0.1] by omp1032.mail.sp2.yahoo.com with NNFMP; 11 Aug 2011 21:00:49 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 873501.90304.bm@omp1032.mail.sp2.yahoo.com
Received: (qmail 81937 invoked by uid 60001); 11 Aug 2011 21:00:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313096449; bh=I19awi7hlfpcUwWQweGnk4pOt8UHPKFaowcoqiMeINI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=iHjifT9J0lgaJ3Ru2xW6X1SeA4055TqmC8T49vrVpTDub9xKQ0/mIoEOVEiAzh+Lmm0M5ucwkzFu2dCkKuO9yIK5o+eQTx7MUY+GnvRkqARhE45QXseF1ZTtb2odExX4EkrNZTFDkS/lNSya63RAjy7EDRCGY0jkfQFh8CkPTIs=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=S7zrq1N498Owj2OYAmQwpSlbcAo2f1mAY/rblPedjIY8kfxyQ07KzWxmE8+sHIX2QaqMNC29VlwT3bLTSRxLjn1SMT+NO7xA7Z9nnJ7UQ23M/PhjVdZXHrfWE1uMDbGo/kBF3LcGKm0ofF3LkMIgiC0ye7B9fDgROVLk1CRTseE=;
X-YMail-OSG: Zp1OYrIVM1kesGI.QVtg8rE0eA2bWwpWm3YM7n7tqptMQUg khvX1lyfapxhvEJYF6I4rQ7eoyEauMxcsMddnpHCjfQFOcuH7LP8GQ5Cb7Ta MvYyNB3wAunUccD5lJ9hJaTO1DGM6azhyWiiXdV5jqSG9EmW5muu2E_1q2z9 72wmTu004UI6f3UhyZsfykksvBr5MLWoRlDJrzZkXYU1oSxekONTvYdKP40u vU2r2F4xZH2gZhIMeCnQMRUTI6C4OOVPKkWIe2waLuX3NU3LvY2KyJdy9FsJ 4J0iqkaqTjNI6RRdOW_emZ_zXUNlU9cjzaAyr4JhewR.MBTTrViMixoPYiao sFOIEhU.VoZ8icdpEHm0X1WetIA1UpjyCFebMm2KuDfKVND09wTQyMCLDPAe W66btxCzKgJYhxc2jGc8r5Vf5pT5jYIHHu7iTNpBvbJM-
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Thu, 11 Aug 2011 14:00:49 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <B26C1EF377CB694EAB6BDDC8E624B6E723B89DBF@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA698D45.17CCD%eran@hueniverse.com> <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com>
Message-ID: <1313096449.45395.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Thu, 11 Aug 2011 14:00:49 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Eran Hammer-Lahav <eran@hueniverse.com>, Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89F11@SN2PRD0302MB137.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-151922511-1313096449=:45395"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 21:00:21 -0000

I maintain my opinion that anonymity be discussed in the security considerations section.  For the purposes of the spec tokens are opaque strings not intended to be parsed by the client.



________________________________
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>; Dick Hardt <dick.hardt@gmail.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Thursday, August 11, 2011 1:51 PM
Subject: Re: [OAUTH-WG] Refresh Tokens


 
There are no use cases at all in WRAP to help explain choices taken, it does not matter if there were or were not previous issues raised, it is being raised now.
 
From:Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
Sent: Thursday, August 11, 2011 1:46 PM
To: Anthony Nadalin; Dick Hardt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Refresh Tokens
 
That's irrelevant given WRAP does not mention anonymity or anything else about refresh token not explicitly addressed already by v2. Your email is the very first time this has been raised on this list.
 
EHL
 
From: Anthony Nadalin <tonynad@microsoft.com>
Date: Thu, 11 Aug 2011 12:41:28 -0700
To: Eran Hammer-lahav <eran@hueniverse.com>, Dick Hardt <dick.hardt@gmail.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: RE: [OAUTH-WG] Refresh Tokens
 
Anonymity was certainly part of the design for WRAP
> 
>From:Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
>Sent: Thursday, August 11, 2011 12:35 PM
>To: Anthony Nadalin; Dick Hardt
>Cc: OAuth WG (oauth@ietf.org)
>Subject: Re: [OAUTH-WG] Refresh Tokens
> 
>Section 1.5 already covers refresh tokens. There are many use cases for refresh tokens. They are basically a protocol feature used to make scalability and security more flexible. Anonymity was never part of their design, and by the nature of this protocol, is more in the domain of the resource server (based on what information it exposes via its API). In fact, your email if the first such suggestion of anonymity.
> 
>EHL
> 
>From: Anthony Nadalin <tonynad@microsoft.com>
>Date: Thu, 11 Aug 2011 11:15:28 -0700
>To: Dick Hardt <dick.hardt@gmail.com>
>Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>Subject: Re: [OAUTH-WG] Refresh Tokens
> 
>Many reasons, but none are explained in the specification
>> 
>>From:Dick Hardt [mailto:dick.hardt@gmail.com] 
>>Sent: Thursday, August 11, 2011 10:51 AM
>>To: Anthony Nadalin
>>Cc: OAuth WG (oauth@ietf.org)
>>Subject: Re: [OAUTH-WG] Refresh Tokens
>> 
>>My recollection of refresh tokens was for security and revocation.
>> 
>>security: By having a short lived access token, a compromised access token would limit the time an attacker would have access
>> 
>>revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers.  There is a window of time when an access token is valid, but authorization is revoked. 
>> 
>> 
>> 
>>On 2011-08-11, at 10:40 AM, Anthony Nadalin wrote:
>>
>>
>>
>>
>>
>>Nowhere in the specification is there explanation for refresh tokens, The reason that the Refresh token was introduced was for anonymity. The scenario is that a client asks the user for access. The user wants to grant the access but not tell the client the user's identity. By issuing the refresh token as an 'identifier' for the user (as well as other context data like the resource) it's possible now to let the client get access without revealing anything about the user. Recommend that the above explanation be included so developers understand why the refresh tokens are there.
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>> 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email