Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
"Gould, James" <jgould@verisign.com> Tue, 12 July 2022 13:13 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70DF5C14F725 for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 06:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_uRsvQc75a9 for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 06:13:42 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16452C14F740 for <regext@ietf.org>; Tue, 12 Jul 2022 06:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6480; q=dns/txt; s=VRSN; t=1657631609; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=j1FbYGv8GNUuFn2IJTUTl6l0cWyBIMf549uMX15nuIY=; b=OXK7rDJlk4IsR4xQWTLePcBCZ7ZE3niET1ayrPpkBNdpgy5cRdv/Z9iq clUZFdoC62ZufniCa1fsOvxfF3FTrXQ2p9sqPHC66hXWuBqdA7svkWNjh qQHc5PPhvqEDWegh1FvrzVTBNcnN6IcEIbNyBagT2pJ06gKRFAiH/M/ra V8q4HICU/N6tJqxQYbWUespvpxhPa//TWgQn3XsF3icQ/n8ZMZzwGrakp B3KIdPyTyd7l963QJO/UVAKwj6heYUJkobvHF+cKpEwd/qYgzlKaR5UzD /ewjSkQ/FcIzaPO5dNEUHIeIY2eQzHD64qHisZHBSvTx+StDkk4YnT5yK Q==;
IronPort-Data: A9a23:oh8iyqCdnODB9BVW/0Tiw5YqxClBgxIJ4kV8jS/XYbTApGwkhGAFx mVKCGqPaaqONmr9etggYYzj/UtSvZLSzoQ2TANkpHpgcSlH+JHPbTi7wuUcHAvJd5GeExg3h yk6QoOdRCzhZiaE/n9BClVlxJVF/fngqoDUUYYoAQgsA14+IMsdoUg7wbRh3dcy2YHR7z6l4 rseneWOYDdJ5BYpagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/Df2VhNrXSq 9Drl+jlozyDr3/BPfv++lrzWhVirrf6Y1DS2iIOM0SoqkAqSicais7XOBeAAKv+Zvrgc91Zk b1wWZKMpQgBH4iQlL8UfwNhHwphZ6oYp+bfcHOWvpnGp6HGWyOEL/RGJnsQZLI+19YvWCdQ/ vsCMHYEYladnfmwhrm8T4GAhOx6dI+yY9hZ4yw7i22JZRolacmrr6Hi59BfwTM8rt5DB/fFZ sUfLzFoaXwsZjUWZwtOWMhkwo9EgFHxLRlol1ONm5MlxFjM71BMjpPiP4TKL4niqcJ92xzwS nj913/5BRUeOdqVxDGGpy70mOLVnDj6V4RUH7q93vJviUeYgG0eFBNQUkG0ydGDlU+6W99bL mQM+zBoqrI9nGSxQ9bwTwGQoXOYsFgbQdU4LgEhwAuXzPPL5QuJXjFBVSBbLtknr4o8Qnogz FnQ2c3zHjopu7qQIZ6AyoqpQfqJEXB9BQc/ieUsFGPpP/GLTFkPsy/y
IronPort-HdrOrdr: A9a23:+gC7Oq2evTsFHcEqQkmAxAqjBG8kLtp133Aq2lEZdPUzSL38qy nOpoV46faaslYssR0b9+xoW5PufZq0z/cc3WB7B8bAYOCJggqVBbAnw4fkzybpBiHyssVMvJ 0NT4FOTPn9F0Jzg8q/wgWpeuxL/PC3tISln/3XwXsodxxtcK0I1WpEIxyWCVJ7XzNLApcFFJ 6Rj/Atmwad
X-IronPort-AV: E=Sophos;i="5.92,265,1650945600"; d="scan'208";a="15418226"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Tue, 12 Jul 2022 09:13:26 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.024; Tue, 12 Jul 2022 09:13:26 -0400
From: "Gould, James" <jgould@verisign.com>
To: "shollenbeck=40verisign.com@dmarc.ietf.org" <shollenbeck=40verisign.com@dmarc.ietf.org>, "Rwilhelm@PIR.org" <Rwilhelm@PIR.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
Thread-Index: AQHYlfErOYryTOFLcEa1k/pEddYKCA==
Date: Tue, 12 Jul 2022 13:13:26 +0000
Message-ID: <920FFD8E-B060-416D-B838-61010E51C50A@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <1C3EFB960B57734E932E2959DE9E4ED5@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/LZxZ1S4DXhH4NTjTy6VtRbN0Dss>
Subject: Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 13:13:46 -0000
Scott, My preference is option 1, where if the request conflicts with the current state it needs to result in an error. -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 7/7/22, 11:02 AM, "regext on behalf of Hollenbeck, Scott" <regext-bounces@ietf.org on behalf of shollenbeck=40verisign.com@dmarc.ietf.org> wrote: Thanks, Rick. Trimming things up a bit and changing the subject appropriately... >>> In the last sentence: Is the client required to wait until the access >>> token has >>> expired before submitting the new login request? Or can it send logout >>> and >>> login back-to-back? (Or even just a login command while currently logged >>> in?) >> [SAH] Let's talk about this. What's appropriate behavior? IF the server >> gets a >> "login" during an active session, it can either ignore the second "login", >> or it >> can return an error. Similarly, it the server gets a "logout" when there's >> no >> active session, it can either ignore the "logout" or return an error. I'm >> inclined to return an error to explicitly note that the submitted >> query/command >> wasn't processed as requested. > [RW] First off, I will certainly defer to those with more implementation in > this > realm. However, based on my experience as a user, I would expect a login > that > happens during an active session to "just work" and override the previous > active > session. This could happen when I have an active session at the server but > the > client browser (with the session) crashes or is otherwise inaccessible. > This > seems better than the alternative: If the new login request is refused, > then > the user is (essentially) locked out until the session timeout value > expires. > Related, if the server gets a "logout" when there is no active session, I > think > that it should ignore the "logout" (rather than returning an error). The > thinking being that returning an error is at best useless and at worst could > be > an information leak (aka security risk). The document currently describes a session/refresh path segment to perform the kind of "override" behavior described above. Having a "login followed by a login" do the same thing seems counter-intuitive. My own experience with server-side session management is that there is no lockout. If the client sends the right HTTP cookie, and the session is still active, there won't be a problem. Another login should be possible if the "old" session gets corrupted. Let's look at the server-side options again for situations in which the server receives a login followed by a login, or a logout where there's been no login, or a refresh without an active session, or a session status without an active session: 1. Return an error. HTTP includes a 409 (Conflict) response that can be returned if a received request conflicts with the current state of the server. 2. Accept the request and ignore it. I'm not sure what an appropriate HTTP response code would be for this situation. 3. Accept the request and do "something". Option 1 can be done consistently for all the above request sequences. Option 2 seems like it could mislead the client into thinking that something has happened unless there is, in fact, an appropriate HTTP response code available to describe a no-op (I couldn't find one). Option 3 might be doable if we can figure out what the "somethings" are, like processing a second login received while a session is active, but the other command sequences present problems. As you described above, a logout received without an active session is processed differently than the "login followed by a login" situation. Is that really the best course of action? I think consistent behavior would be preferred. Scott _______________________________________________ regext mailing list regext@ietf.org https://secure-web.cisco.com/1zzMrKkgYlj9VhlxPYw6YLgXo4UAztsC_b_SIIxy0OJCV9U2y757cdfeXR-TsC4CBsm4x0Yza6BzHsVVgxL47gZOr0EEg3eYwSmzQahgfdLx6MCjcvGofpNEUHHZt2Y9yHuOqVA2iKKNDFe4kYtLZHy4rnHFrCuG4pBqHTT16_dC9eQWYrcA7FA4k25iCZW0YD3jfVPuhbDXOJoN5T2R71VL27lBZvgz67YLjIgfoeMRu8B5U9-yu2qyTAFnQ2bvd/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fregext
- [regext] Login/Logout Processing (was RE: I-D Act… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Gould, James
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Rick Wilhelm
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] NA Re: Login/Logout Processing (was … Rick Wilhelm