Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 12 July 2022 13:17 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8B3C14F728 for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 06:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjSOSA0ErX7y for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 06:17:53 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E393C14F736 for <regext@ietf.org>; Tue, 12 Jul 2022 06:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8154; q=dns/txt; s=VRSN; t=1657631874; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=g9Ew53PAmngUt41AIqR3wr388UUpwMr7rKHXOxiOMj8=; b=JSmWE7nJ/z4lOOZWtbitP/IX0ZG4twau5f5u+xlwI0hqX4PvWHaWbnY9 6JCUL32XuB0HkHt+ur11NspGaO+3a5/HJPKjUx3xblcc7rZxxzJ8VtAlJ TserLKmyAsqDKOMgHxFve/1XqnclhRvXCTNzpJ0G+hn16mV1Mtw9UnQC0 iih1RFWCRw02LQp7q6Bh+etpSFp6AkOygL7q0kCfQEQAta94+/kFM8JXO pOv2T86Ywu6wW+NgCuANZffmxWchQNbGRd/bjgjrhhY1sRVbpYYrEbJHq pSGz20nXsigAsTd7eHsIlg3YZhs8uHz6lZPsh0d+DR5uT586tjN3TYzHh A==;
IronPort-Data: A9a23:2/MZPqPLYoGTNnLvrR3IlsFynXyQoLVcMsEvi/4bfWQNrUpwgzEFm jMcXWuBPPzbN2X9eo10aoi38k1X78DdxoBgGwZtpSBmQkwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk1Ek/NtTo5w7Rj2tEx24Dga++wk YiaT/P3aQfNNwFcbzp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMebS4K8bhL wr15Orgoj6GpUdF5uSNyd4XemVSKlLbFVbW1ioOA8BOiDAazsA5+v5T2Pbx9S67IthG9jx84 IwliHC+desmFu7tqLsbCCEIKAR/MY9BxqDAH0WaicPGmiUqc1O0qxlvJGsMG9Qn3MtHWTsI6 /cfMihLZxzFmfitxvSwTewEasYLdZGtZdxE/Cg9lneFXJ7KQriaK0nOzcRY2zM0i8ZEEP3dT 9QUczt0bRvGJRZIPz/7Dbpnwbfz2SGvIlW0rnrNv4Qy+XTd/TVD84rnM9HsY+3JX9x8yxPwS mXuuj6R7gshHN6QzieB/ifw3vHChyLgWY0UUra/89ZmhVSJzSoSBQEYE1yhrpGRsFG/X9JSL 0k84is0668o+ySDVNTyUg2kiH+JohBaXMBfe9DW8ymH0KyN/ACUFjBeCyVfcpojtdRzTzts3 EWPxpX3Hydp9raSTBpx64upkN97AgBNRUdqWMPOZVJtDwXLyG3rsi/ycw==
IronPort-HdrOrdr: A9a23:ZimXxKB8pty2YRTlHemH55DYdb4zR+YMi2TDj3oBLCC9Afbo8/ xG+85rriMc6QxhIE3I9urgBEDtexnhHNtOkOss1NSZLXPbUQmTTL2KhLGKq1bd8m/Fh41gPM xbH5SWfeefMbEMt6nHCWeDfurIi+P3l5xAzd2uqUuFYzsaEp1d0w==
X-IronPort-AV: E=Sophos;i="5.92,265,1650945600"; d="scan'208";a="15837089"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Tue, 12 Jul 2022 09:17:51 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2375.024; Tue, 12 Jul 2022 09:17:51 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "jgould=40verisign.com@dmarc.ietf.org" <jgould=40verisign.com@dmarc.ietf.org>, "Rwilhelm@PIR.org" <Rwilhelm@PIR.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
Thread-Index: AQHYlfErOYryTOFLcEa1k/pEddYKCK16txaA
Date: Tue, 12 Jul 2022 13:17:51 +0000
Message-ID: <08c3a4aecaeb467eac9152b880cc85ba@verisign.com>
References: <920FFD8E-B060-416D-B838-61010E51C50A@verisign.com>
In-Reply-To: <920FFD8E-B060-416D-B838-61010E51C50A@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/mmNA_IVSZyzVh229N7VTaXEz190>
Subject: Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 13:17:57 -0000
Thanks, Jim. I'm working on -16 to address this topic and other recent feedback. I'm planning to include text that describes error return conditions. Scott > -----Original Message----- > From: Gould, James <jgould=40verisign.com@dmarc.ietf.org> > Sent: Tuesday, July 12, 2022 9:13 AM > To: Hollenbeck, Scott <shollenbeck@verisign.com>; Rwilhelm@PIR.org; > regext@ietf.org > Subject: [EXTERNAL] Re: [regext] Login/Logout Processing (was RE: I-D > Action: draft-ietf-regext-rdap-openid-15.txt) > > Caution: This email originated from outside the organization. Do not click links > or open attachments unless you recognize the sender and know the content > is safe. > > Scott, > > My preference is option 1, where if the request conflicts with the current > state it needs to result in an error. > > -- > > JG > > > > James Gould > Fellow Engineer > jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE- > B4BA42740803/jgould@Verisign.com> > > 703-948-3271 > 12061 Bluemont Way > Reston, VA 20190 > > Verisign.com <http://secure-web.cisco.com/146IYbLb06o7EQ5y- > S9CI7Wv51aAaxl8hFAuOBaHou3sDkfQPFMQu6BUoW4k5ofYC5YtOj6XXRCKD > HYzan_NZGxdaN0YSvV0pwQb7R9i9kzQj1h9R05Pagm54- > 27p6uMqOMzoZGv2vinpZe2J8m4PKqdSLdJjiCepHPZ1JM1mtuI50NVmuZ8vRF > i_0YBy7IEEjGceS0HpXLfup5UC4X63esKGLab9WHmN- > OZdrNHmUQpEtHd1kkwxdbMiJ2nTpenX/http%3A%2F%2Fverisigninc.com%2 > F> > > On 7/7/22, 11:02 AM, "regext on behalf of Hollenbeck, Scott" <regext- > bounces@ietf.org on behalf of shollenbeck=40verisign.com@dmarc.ietf.org> > wrote: > > > Thanks, Rick. Trimming things up a bit and changing the subject > appropriately... > > >>> In the last sentence: Is the client required to wait until the access > >>> token has > >>> expired before submitting the new login request? Or can it send > logout > >>> and > >>> login back-to-back? (Or even just a login command while currently > logged > >>> in?) > > >> [SAH] Let's talk about this. What's appropriate behavior? IF the server > >> gets a > >> "login" during an active session, it can either ignore the second "login", > >> or it > >> can return an error. Similarly, it the server gets a "logout" when there's > >> no > >> active session, it can either ignore the "logout" or return an error. I'm > >> inclined to return an error to explicitly note that the submitted > >> query/command > >> wasn't processed as requested. > > > [RW] First off, I will certainly defer to those with more implementation in > > this > > realm. However, based on my experience as a user, I would expect a > login > > that > > happens during an active session to "just work" and override the > previous > > active > > session. This could happen when I have an active session at the server > but > > the > > client browser (with the session) crashes or is otherwise inaccessible. > > This > > seems better than the alternative: If the new login request is refused, > > then > > the user is (essentially) locked out until the session timeout value > > expires. > > Related, if the server gets a "logout" when there is no active session, I > > think > > that it should ignore the "logout" (rather than returning an error). The > > thinking being that returning an error is at best useless and at worst could > > be > > an information leak (aka security risk). > > The document currently describes a session/refresh path segment to > perform the > kind of "override" behavior described above. Having a "login followed by a > login" do the same thing seems counter-intuitive. My own experience with > server-side session management is that there is no lockout. If the client > sends the right HTTP cookie, and the session is still active, there won't be a > problem. Another login should be possible if the "old" session gets > corrupted. > > Let's look at the server-side options again for situations in which the server > receives a login followed by a login, or a logout where there's been no > login, > or a refresh without an active session, or a session status without an active > session: > > 1. Return an error. HTTP includes a 409 (Conflict) response that can be > returned if a received request conflicts with the current state of the server. > > 2. Accept the request and ignore it. I'm not sure what an appropriate HTTP > response code would be for this situation. > > 3. Accept the request and do "something". > > Option 1 can be done consistently for all the above request sequences. > Option > 2 seems like it could mislead the client into thinking that something has > happened unless there is, in fact, an appropriate HTTP response code > available > to describe a no-op (I couldn't find one). Option 3 might be doable if we > can > figure out what the "somethings" are, like processing a second login > received > while a session is active, but the other command sequences present > problems. > As you described above, a logout received without an active session is > processed differently than the "login followed by a login" situation. Is that > really the best course of action? I think consistent behavior would be > preferred. > > Scott > > _______________________________________________ > regext mailing list > regext@ietf.org > https://secure- > web.cisco.com/1zzMrKkgYlj9VhlxPYw6YLgXo4UAztsC_b_SIIxy0OJCV9U2y757 > cdfeXR- > TsC4CBsm4x0Yza6BzHsVVgxL47gZOr0EEg3eYwSmzQahgfdLx6MCjcvGofpNEU > HHZt2Y9yHuOqVA2iKKNDFe4kYtLZHy4rnHFrCuG4pBqHTT16_dC9eQWYrcA7F > A4k25iCZW0YD3jfVPuhbDXOJoN5T2R71VL27lBZvgz67YLjIgfoeMRu8B5U9- > yu2qyTAFnQ2bvd/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2 > Fregext >
- [regext] Login/Logout Processing (was RE: I-D Act… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Gould, James
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Rick Wilhelm
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] NA Re: Login/Logout Processing (was … Rick Wilhelm