Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
Justin Richer <jricher@mit.edu> Wed, 21 October 2015 21:01 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E57F1B307B for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 14:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZsDb9GV5FC3 for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 14:01:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3763A1B3078 for <oauth@ietf.org>; Wed, 21 Oct 2015 14:01:39 -0700 (PDT)
X-AuditID: 12074424-f79106d000007367-b1-5627fd31c8ef
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id F0.F7.29543.13DF7265; Wed, 21 Oct 2015 17:01:37 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t9LL1aaU023216; Wed, 21 Oct 2015 17:01:36 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t9LL1Yjl002522 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Oct 2015 17:01:35 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_C83AD921-28C9-4370-B54C-A9E8754756DC"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <1629428037.1277959.1445459266645.JavaMail.yahoo@mail.yahoo.com>
Date: Wed, 21 Oct 2015 17:01:33 -0400
Message-Id: <1CCDDFCE-AB08-4539-9746-F21E24E039B0@mit.edu>
References: <BC3FBA11-9796-470D-A7FF-722E5A1D53D0@gmail.com> <1629428037.1277959.1445459266645.JavaMail.yahoo@mail.yahoo.com>
To: Vivek Biswas <vivek_biswas@yahoo.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRmVeSWpSXmKPExsUixG6nrmv4Vz3MoP2CuMXSnfdYLRp25luc fPuKzWLSketMDiweO2fdZfdYvGk/m8eSJT+ZPGbNOswUwBLFZZOSmpNZllqkb5fAlfGnr4u9 4NN+xooDB08wNjDeWsbYxcjJISFgIrF93ixmCFtM4sK99WwgtpDAYiaJvf3GXYxcQPZGRokJ +w6yQzgPmSSO9F9kAaliFkiQ+P53DzuIzSugJ/Hq1mVWEFtYwFHiQtdrsA1sAqoS09e0MIHY nAK+Ej37poPVswDFO57/ZwMZyiwwj1Gi8eUkVohBVhJ7/z1jhzijVuLIrN9gcREBTYkn11+w QJwqK7H79yOmCYwCs5DcMQvJHRBxbYllC18zQ9iaEvu7l7NgimtIdH6byLqAkW0Vo2xKbpVu bmJmTnFqsm5xcmJeXmqRrrlebmaJXmpK6SZGcHS4qOxgbD6kdIhRgINRiYf3wh/1MCHWxLLi ytxDjJIcTEqivA8+A4X4kvJTKjMSizPii0pzUosPMUpwMCuJ8Ea9B8rxpiRWVqUW5cOkpDlY lMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnwFv4GahQsSk1PrUjLzClBSDNxcIIM5wEavhuk hre4IDG3ODMdIn+KUVFKnPcZSEIAJJFRmgfXC0peCW8Pm75iFAd6RZh3M0gVDzDxwXW/AhrM BDR44SNVkMEliQgpqQZGuZexDB+nzytR698QeUGVoW/vV/dfFzNX/zqpXJZb+Uzw4CxRib8B Xp13lriECiv/zxAwaLDxvnbr+VxvPeVPXx7/TDY448EWe2Avm3LI/IfT3UR3HRF6urD9u1Vz 1zmjnxEuYQsOqrxhffra0LzzwIPA6gPHmjsc9IyYb8dqlpjvvvgqLSBOiaU4I9FQi7moOBEA BE+1QzkDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yGw42vy7FFxefopanLqbfI5fidM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 21:01:43 -0000
This was discussed extensively and is covered in the text of the RFC, but the summary is simple: the request isn’t a bad request (which is what 400 means). It’s a perfectly valid request, it’s just that the token you’re asking about might not be valid for some reason, or it might not be valid *for you*. Either way, you don’t actually want to divulge too much information about why the token is bad in a production environment or else you let attackers poke around and learn more about the system than they really need to know to function. As far as a protected resource is concerned, it likely doesn’t matter anyway. And an OAuth client isn’t going to be propagated that information, it’s just going to have to go get a new token. Since an OAuth client needs to be able to get a new token at a moment’s notice anyway, there’s not really anything useful in communicating it. This is a similar approach to the Revocation spec (RFC 7009) which always returns 200 whether or not the token existed or was successfully revoked. In any event, the client needs to assume that the token was revoked and stop using it, and it’s up to the server to deal with the consequences of error conditions. Hope this helps, — Justin > On Oct 21, 2015, at 4:27 PM, Vivek Biswas <vivek_biswas@yahoo.com> wrote: > > Yes indeed a nice job !!!!. > > I have one question on the RFC. > > Not sure where I can submit request for comments. Hence, adding to this email thread > > > In the use-case mentioned below > The following is a non-normative example response for a token that > has been revoked or is otherwise invalid: > > HTTP/1.1 200 OK > Content-Type: application/json > > { > "active": false > } > > > > Where the token is revoked or invalid, why not send a HTTP response code of 400 > > There are 2 benefits for the same. > A. Just looking at the header, we know that token validation didn't went through. No need to look in the payload. This is especially very helpful in gateway design implementation. > > B. You are further hiding from the user why the request failed and not letting him know if the token was processed by the server. > > Cheers > Vivek > > > > From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> > To: Hannes Tschofenig <hannes.tschofenig@gmx.net> > Cc: "<oauth@ietf.org>" <oauth@ietf.org> > Sent: Wednesday, October 21, 2015 4:47 AM > Subject: Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection > > Yes, nice job! > > Sent from my iPhone > > > On Oct 21, 2015, at 4:20 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > > > > Thank you Justin for the hard work! > > > >> On 10/20/2015 06:32 PM, Justin Richer wrote: > >> Thank you to everyone who helped make token introspection into a real standard! > >> > >> — Justin > >> > >>> On Oct 19, 2015, at 6:56 PM, rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org> wrote: > >>> > >>> A new Request for Comments is now available in online RFC libraries. > >>> > >>> > >>> RFC 7662 > >>> > >>> Title: OAuth 2.0 Token Introspection > >>> Author: J. Richer, Ed. > >>> Status: Standards Track > >>> Stream: IETF > >>> Date: October 2015 > >>> Mailbox: ietf@justin.richer.org <mailto:ietf@justin.richer.org> > >>> Pages: 17 > >>> Characters: 36591 > >>> Updates/Obsoletes/SeeAlso: None > >>> > >>> I-D Tag: draft-ietf-oauth-introspection-11.txt > >>> > >>> URL: https://www.rfc-editor.org/info/rfc7662 <https://www.rfc-editor.org/info/rfc7662> > >>> > >>> DOI: http://dx.doi.org/10.17487/RFC7662 <http://dx.doi.org/10.17487/RFC7662> > >>> > >>> This specification defines a method for a protected resource to query > >>> an OAuth 2.0 authorization server to determine the active state of an > >>> OAuth 2.0 token and to determine meta-information about this token. > >>> OAuth 2.0 deployments can use this method to convey information about > >>> the authorization context of the token from the authorization server > >>> to the protected resource. > >>> > >>> This document is a product of the Web Authorization Protocol Working Group of the IETF. > >>> > >>> This is now a Proposed Standard. > >>> > >>> STANDARDS TRACK: This document specifies an Internet Standards Track > >>> protocol for the Internet community, and requests discussion and suggestions > >>> for improvements. Please refer to the current edition of the Official > >>> Internet Protocol Standards (https://www.rfc-editor.org/standards <https://www.rfc-editor.org/standards>) for the > >>> standardization state and status of this protocol. Distribution of this > >>> memo is unlimited. > >>> > >>> This announcement is sent to the IETF-Announce and rfc-dist lists. > >>> To subscribe or unsubscribe, see > >>> https://www.ietf.org/mailman/listinfo/ietf-announce <https://www.ietf.org/mailman/listinfo/ietf-announce> > >>> https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist <https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist> > >>> > >>> For searching the RFC series, see https://www.rfc-editor.org/search <https://www.rfc-editor.org/search> > >>> For downloading RFCs, see https://www.rfc-editor.org/rfc.html <https://www.rfc-editor.org/rfc.html> > >>> > >>> Requests for special distribution should be addressed to either the > >>> author of the RFC in question, or to rfc-editor@rfc-editor.org. <mailto:rfc-editor@rfc-editor.org.> Unless > >>> specifically noted otherwise on the RFC itself, all RFCs are for > >>> unlimited distribution. > >>> > >>> > >>> The RFC Editor Team > >>> Association Management Solutions, LLC > >>> > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org <mailto:OAuth@ietf.org> > >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org <mailto:OAuth@ietf.org> > >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspect… rfc-editor
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Justin Richer
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Hannes Tschofenig
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Kathleen Moriarty
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Vivek Biswas
- Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Intros… Justin Richer