Re: [OAUTH-WG] draft-ietf-oauth-revocation-01
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 08 October 2012 18:44 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C1B21F85A8 for <oauth@ietfa.amsl.com>; Mon, 8 Oct 2012 11:44:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aRAWHLpKLVx for <oauth@ietfa.amsl.com>; Mon, 8 Oct 2012 11:44:11 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.99]) by ietfa.amsl.com (Postfix) with ESMTP id 007AA21F852A for <oauth@ietf.org>; Mon, 8 Oct 2012 11:44:04 -0700 (PDT)
Received: from [91.2.78.13] (helo=[192.168.71.42]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1TLIJ8-0004ay-9d; Mon, 08 Oct 2012 20:44:02 +0200
Message-ID: <50731EF0.4010304@lodderstedt.net>
Date: Mon, 08 Oct 2012 20:44:00 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <999913AB42CC9341B05A99BBF358718D01EF1504@FIESEXC035.nsn-intra.net>
In-Reply-To: <999913AB42CC9341B05A99BBF358718D01EF1504@FIESEXC035.nsn-intra.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2012 18:44:12 -0000
Hi Hannes, thanks for your review and feedback. Please find my comments inline. Am 08.10.2012 13:52, schrieb Tschofenig, Hannes (NSN - FI/Espoo): > Hi all, > > I went through draft-ietf-oauth-revocation-01 to what has changed > between version -00 and -01. > > A few minor comments: > > Title: maybe you should change it from "Token Revocation" to "Revocation > of OAuth Access and Refresh Tokens" to make it a bit more informative. why not. What do other WG members think? > The abstract is also a bit too short to explain what the document does. > The RFC Editor will at least demand 3 lines of abstract. You may, for > example say that the specification covers revocation of access and > refresh tokens. Important would also to highlight that the revocation is > initiated by the client. You may also want to highlight that this is > mainly used as a logout mechanism. ok. > > I you want to re-word the following sentence a bit: > " > A revocation request may discard the actual token as well as other > tokens based on the same access grant and the access grant itself. > " > For example: > " > A revocation request by the client includes the token that shall be > revoked. Revoking a refresh token will, however, also revoke any access > token created earlier via the presented refresh token. I see the following issues with your proposal: - I assume not all authorization servers will support access token revocation (none of our servers does) - Access tokens belonging to the same access grant might have been created based on different refresh tokens, since refresh tokens can be rotated (we do this for refresh tokens issued to installed applications). see also http://www.ietf.org/mail-archive/web/oauth/current/msg09244.html That's why I suggested on the list to add the concept of an underlying access grant. This concept proved to be useful during discussions about the different token implementation philosophies at the last IIW. It also allows an authorization server to delete access grants underlying an access token even if it does not issue refresh tokens at all - some authorization servers manage permanent access grants internally and issue access tokens automatically in implicite and code grant type (auto-approval). I therefore would suggest the following wording: "A revocation request by the client includes the token that shall be revoked. Revoking a token may, however, also revoke other tokens based on the same access grant and the acces grant itself." > " > > Introduction: I would not include RFC 2119 language in the introduction. And put the compliance statement into another section? > I am also wondering why a specification shouldn't support the revocation > of both tokens when requested. The assumption is that not all authorization servers will support access token revocation because this comes at a cost. It either requires a lookup of the RS at the AS on every service request OR a push notification of the AS towards all relevant RS on revocation. > > You write that the specification supports the following use cases and > you list two items. The issue, however, is that item #2 isn't what the > specification deals with. Instead, the focus is on item #1 and the > revocation feature is more a logout feature, as you describe it rather > than a way to deal with stolen tokens. What about the self-care portal (see below)? > > o The end-user triggers revocation from within the client that sends > the appropriate revocation request to the autorization server. > The request causes the removal of the client's access grant the > particular token refers to. From the end-user's perspective, this > looks like a "logout" or "reset" function. This use case makes it > even more comfortable to the end-user to revoke his access grant > immediately via the client. > > o In contrast to revocation by a client, the authorization server > (or a related entity) may offer its end-users a self-care portal > to delete access grants given to clients independent of any token > storing devices. Such a portal offers the possibility to an end- > user to look at and revoke all access grants he once authorized. > In cases the token storing device is not available, e.g. it is > lost or stolen, revocation by a self-care portal is the only > possibility to limit or avoid abuse. > > > Terminology: I would include a Terminology section with the following > content: > " > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in RFC 2119 [RFC2119]. > " ok. > > You write: > > In the end, security, usability, and ease of use are increased by > token revocation. > > Could you explain this a bit? The specification does not help with > stolen tokens. What about the self-care portal? > It also does not help with clients who behave > unsupportive. I don't understand this statement. "unsupportive" with respective to token revocation? > > > Example: I suggest to expand the example token a bit to avoid the > impression that tokens are so short. > s/token=45ghiukldjahdnhzdauz&/token=45ghiukldj....ahdnhzdauz&/ I'm wondering why the core spec shows example tokens of roughly the same size. > > I don't understand this note: > > "It is also conceivable to allow a dedicated user self-care portal to > revoke all kinds of tokens." > The self-care portal shouldn't have tokens and hence cannot really > revoke them. As such, the self-care portal would be either at the > authorization server or very closely related to it (for example with > access to the same backend database). Yes, that's true. Such a portal must have access to the token database. It may be part of the authorization server or a general purpose portal, which access the token database via well-defined (internal) interfaces. We implemented the later pattern. > > > Regarding: > " > If the particular token is a refresh > token and the authorization server supports the revocation of access > tokens, then the authorization server SHOULD also invalidate all > access tokens based on the same access grant. > " > > Why "SHOULD" and not MUST? See above. > > Shouldn't this sentence say > > If the presented token is a refresh token then the authorization server > MUST invalidate all access tokens created by that refresh token." See above. "that refresh token" might not be meaningful in conjunction with refresh token rotation. > > Note that I > - clarified what gets deleted, and > - removed unnecessary options. > > > You write: > " > Whether the revocation takes effect instantly or with some delay > depends on the architecture of the particular deployment. The client > MUST NOT make any assumptions about the timing and MUST NOT use the > token again. > " > > This is an interesting aspect since one would wonder why it isn't > sufficient for the client to just delete the tokens it has locally. > Nobody else should have the same set of tokens since they are supposed > to be minted on the fly for the different clients. Basically, you are right. I'm wondering whether there could be issues in clustered environment, potentielly different nodes could use the same access token? > > Then, wouldn't it be useful for a logout functionality that the > revocation actually works instantly rather than at an unpredictable time > later ? Yes. > > Could you explain why the cross-origin support is needed? I think this is the only way for a user-agent based application to revoke tokens due to the same-origin policy. @Marius: Could you please shed some more light on this aspect? > > You write: > " > unsupported_token_type: the client > tried to revoke an access token on a server not supporting > this feature. > " > Does this mean that the server does not support the revocation > specification at all or just not the ability to revoke access > (refresh???) tokens? Revocation of access tokens is an optional feature > > Security considerations: I would expect to see a discussion about what > scenarios this revocation mechanism does not cover. I thought such a section was intended to discuss the security of the proposed protocol? Do you have specific scenarios in mind? regards, Torsten. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] draft-ietf-oauth-revocation-01 Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-revocation-01 Torsten Lodderstedt