IETF Logo Mail Archive

Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00

Paul Madsen <paul.madsen@gmail.com> Wed, 13 June 2012 09:44 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665CF21F867A for <oauth@ietfa.amsl.com>; Wed, 13 Jun 2012 02:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+EnLaEdLZNf for <oauth@ietfa.amsl.com>; Wed, 13 Jun 2012 02:43:59 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id CEB6121F8679 for <oauth@ietf.org>; Wed, 13 Jun 2012 02:43:58 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so231801vcq.31 for <oauth@ietf.org>; Wed, 13 Jun 2012 02:43:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=Qrh5tFjiqJ3sDMBJ0eDZB9N2uZHJeakkcfsqfRqc6J4=; b=n1QCt2ckojc22BYjsIMPf+L1Bx3sFkNO2khxEVlUIq+rQ4w8NOEwE0vanA/fD3BgEK /3MRNaGWmKPkSu4I9rYj4oLU9OvKovrH2ppiJw2e/DdixD76V92rWk0ap6cVU7Akfmu5 eERpzwpFlwBn/kkd7twX74ffZynbxTOFRfWXVdyDSHxupY+eubPMMOAWgPkWh3VAF/pu n+psObdiDRE8rkya2hHHyTO+wXLciqv8Q9BPczmJrJE/C5FMX5DdNGcDL1HTsKiEZdiC /ooLwr7Xef7RCcg6C3lSAefTAuiWeYV6CLHsT2r1HbFb18LDWgGt1C8Zxnkw1e/uVk9J z5lQ==
Received: by 10.220.16.8 with SMTP id m8mr16564075vca.10.1339580638074; Wed, 13 Jun 2012 02:43:58 -0700 (PDT)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [99.224.20.155]) by mx.google.com with ESMTPS id i10sm1058983vdw.21.2012.06.13.02.43.54 (version=SSLv3 cipher=OTHER); Wed, 13 Jun 2012 02:43:55 -0700 (PDT)
Message-ID: <4FD860D9.7010007@gmail.com>
Date: Wed, 13 Jun 2012 05:43:53 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <CAA=QE7P_Mmak9_OvqQ4V33e-UHP-n_8oPNiHiYsx=P4syeDz-Q@mail.gmail.com> <4FD65080.9040305@gmail.com> <4FD65ED8.6000507@aol.com> <EA05C2C5-4472-4EC8-92EC-92700BBD25E8@gmail.com> <CAA=QE7PeMYb8mkqG+d_27NNDM+01OynoWZBAaSHdKPT4_K-VOQ@mail.gmail.com> <4FD745EE.1040508@mitre.org> <CAA=QE7PADF8hLXmReQtx65xKAWYggATpnka7GZ0s31A5reLYwA@mail.gmail.com> <d31e5caa-d37d-4002-a3a0-52e264bd71cd@email.android.com>
In-Reply-To: <d31e5caa-d37d-4002-a3a0-52e264bd71cd@email.android.com>
Content-Type: multipart/alternative; boundary="------------010909010602080803070806"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Clarification in Section 2.0 of draft-ietf-oauth-revocation-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 09:44:00 -0000

agree that it'd be preferable to refer to the higher level grant

related, the spec stipulates

'The client MUST NOT make any assumptions about the timing and MUST NOT 
use the token again.'

So what does the client do with it's existing access token when it 
revokes the associated refresh token?

The rule indicating to the AS that access tokens be revoked as well is 
only a SHOULD, so the client can't be certain that the access token is 'bad'

paul

On 6/13/12 2:01 AM, Torsten Lodderstedt wrote:
> Hi all,
>
> we should probably adopt the wording to refer to the access grant 
> underlying all tokens? Something like: "based on the same access grant 
> ...".
>
> What do you think?
>
> regards,
> Torsten.
>
>
>
> doug foiles <doug.foiles@gmail.com> schrieb:
>
>     Thanks Justin.  Perhaps we can get Torsten, Stefanie, or Marius to
>     comment on what was intended for this ... and would be much
>     appreciated.
>
>     On Tue, Jun 12, 2012 at 6:36 AM, Justin Richer <jricher@mitre.org
>     <mailto:jricher@mitre.org>> wrote:
>
>         I agree with Doug and George's reading: nuking the refresh
>         token gets rid of all access tokens associated with that
>         refresh token's lifetime. This includes both simultaneous
>         issuance as well as derived issuance.
>
>          -- Justin
>
>
>         On 06/11/2012 08:13 PM, doug foiles wrote:
>>         Hi Paul and George,
>>         Even though the Access Token is short lived, I would still
>>         like to revoke it immediately if the user chooses to revoke
>>         the Refresh Token.  And I would love for the client
>>         application to only have to make one web service call to
>>         accomplish that and not one for the Refresh Token and another
>>         for the Access Token.
>>         Given that we always generate a new Refresh Token value
>>         during "Token Refresh", we would never have a true parent /
>>         child relationship between a Refresh Token and Access Token.
>>         Is there a case where it is NOT appropriate to revoke an
>>         "associated" Access Token when explictly revoking a Refresh
>>         Token?  I define "associated" as an Access Token generated
>>         from a Refresh Token OR generated at the same time of the
>>         Refresh Token.
>>         I do see the AS challenges in trying to manage multiple
>>         simultaneous "associated" Access Tokens.  For example let's
>>         say a client generates multiple Access Tokens at the same
>>         time while generating new Refresh Token values during each
>>         "Token Refresh" operation.  However I don't really see the
>>         useful of this case.
>>         Doug
>>
>>         On Mon, Jun 11, 2012 at 3:52 PM, Paul Madsen
>>         <paul.madsen@gmail.com <mailto:paul.madsen@gmail.com>> wrote:
>>
>>             Hi George, perhaps it depends on the reason for the
>>             refresh token being revoked. If because the user removed
>>             their consent then yes I agree that *all* tokens should
>>             be revoked
>>
>>             Sent from my iPhone
>>
>>             On 2012-06-11, at 5:10 PM, George Fletcher
>>             <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>>
>>>             Paul,
>>>
>>>             I think I came to a different conclusion...
>>>
>>>             If I use the Resource Owner Password Credential flow and
>>>             get back both an access_token and a refresh_token then I
>>>             would assume that the issued access_token is tied in
>>>             some way to the refresh_token. If the refresh_token is
>>>             revoked, then my expectation is that the simultaneous
>>>             issued access_token would also be revoked.
>>>
>>>             I read the spec as having a typo that should read...
>>>             If the processed token is a refresh token and the authorization
>>>             server supports the revocation of access tokens, then the
>>>             authorization server SHOULD also invalidate all access tokens issued
>>>             *based on* that refresh token.
>>>             Or maybe better... "invalidate all access tokens
>>>             associated/tied-to that refresh token".
>>>
>>>             Now in the case that the client is retrieving a new
>>>             refresh_token and access_token, then the new ones should
>>>             be valid and the old ones potentially revoked.
>>>
>>>             Thanks,
>>>             George
>>>
>>>             On 6/11/12 4:09 PM, Paul Madsen wrote:
>>>>             Hi Doug, my interpretation is that 'for that refresh
>>>>             token' means those access tokens issued in exchange for
>>>>             that refresh token.
>>>>
>>>>             Consequently, for the cases you cite below, the access
>>>>             tokens at the same time as a given refresh token need
>>>>             not be invalidated when that refresh token is 'processed'
>>>>
>>>>             I assume the justification for the rule is that an
>>>>             access token issued in exchange for a given refresh
>>>>             token may have been compromised if the refresh token
>>>>             had been. But there is no such causal relationship
>>>>             between an access token & refresh token issued at same time
>>>>
>>>>             paul
>>>>
>>>>             On 6/11/12 3:31 PM, doug foiles wrote:
>>>>>             Hi all,
>>>>>
>>>>>             I was hoping to get some clarity on a statement in
>>>>>             section 2.0 of draft-ietf-oauth-revocation-00.
>>>>>
>>>>>                If the processed token is a refresh token and the
>>>>>             authorization
>>>>>                server supports the revocation of access tokens,
>>>>>             then the
>>>>>                authorization server SHOULD also invalidate all
>>>>>             access tokens issued
>>>>>                for that refresh token.
>>>>>
>>>>>             My question is on the statement "access tokens issued
>>>>>             for that refresh token".  What does it mean to have
>>>>>             an Access Token "issued" for a Refresh Token? 
>>>>>
>>>>>             This specific case is clear to me.  I am refreshing
>>>>>             an Access Token where I keep the same Refresh Token
>>>>>             that I used to generate the new Access Token.  I see
>>>>>             the new Access Token was issued for that Refresh Token.
>>>>>             However these two cases are a bit muddy to me.  Let’s
>>>>>             say I am using the "Resource Owner Password
>>>>>             Credentials Grant" where the Access Token Response
>>>>>             returns both an Access Token and Refresh Token. 
>>>>>             Would the Access Token have been issued for that
>>>>>             Refresh Token?  And let’s say I am refreshing an
>>>>>             Access Token but choose to create a new Refresh Token
>>>>>             and immediately revoke the original Refresh Token. 
>>>>>             Would the newly created Access Token have been issued
>>>>>             for the original Refresh Token or the new one that was
>>>>>             created.
>>>>>             If a client would revoke a Refresh Token … I would
>>>>>             like the Access Tokens in all of the above cases to be
>>>>>             automatically revoked as well.  I just want to make
>>>>>             sure I understand the model.  Thanks.
>>>>>             Doug Foiles
>>>>>             Intuit
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             OAuth mailing list
>>>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>             _______________________________________________
>>>>             OAuth mailing list
>>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email