Hello ACE,We have submitted an updated version of draft-tiloca-ace-revoked-token-notification
https://datatracker.ietf.org/doc/html/draft-tiloca-ace-revoked-token-notification-05The document describes how an Authorization Server can notify Clients and Resource Servers of revoked but yet not expired Access Tokens. This is achieved by means of a Token Revocation List (TRL) resource at the AS, that a device can access and observe by using resource observation for CoAP. The approach complements token introspection at the AS, and does not require additional endpoints on Clients and Resource Servers.
This update is especially about:1) Addressing the comments from Michael Richardson [1] over the previous version - Thanks a lot!
2) Specifying the optional additional usage of the "pmax" conditional attribute from [2].
Comments are very welcome! Best, /Marco [1] https://mailarchive.ietf.org/arch/msg/ace/4eg79d-ekcI--O5zXa3irpHxqrc/ [2] https://datatracker.ietf.org/doc/draft-ietf-core-conditional-attributes/ -------- Forwarded Message --------Subject: New Version Notification for draft-tiloca-ace-revoked-token-notification-05.txt
Date: Mon, 12 Jul 2021 09:02:41 -0700 From: [email protected]To: Francesca Palombini <[email protected]>, Grace Lewis <[email protected]>, Ludwig Seitz <[email protected]>, Marco Tiloca <[email protected]>, Sebastian Echeverria <[email protected]>
A new version of I-D, draft-tiloca-ace-revoked-token-notification-05.txt has been successfully submitted by Marco Tiloca and posted to the IETF repository. Name: draft-tiloca-ace-revoked-token-notification Revision: 05Title: Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
Document date: 2021-07-12 Group: Individual Submission Pages: 35URL: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-tiloca-ace-revoked-token-notification-05.txt&data=04%7C01%7Cmarco.tiloca%40ri.se%7C2d021471fe694f16d57708d9454e8eed%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637617025969303302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ACbXo9gz8jqHJCTvW76YcsKHGLy%2B8SfqrOltqwMmEA8%3D&reserved=0 Status: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-tiloca-ace-revoked-token-notification%2F&data=04%7C01%7Cmarco.tiloca%40ri.se%7C2d021471fe694f16d57708d9454e8eed%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637617025969303302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VVp%2FQ5FjT6omk0rvPGHOtsdQcoAtk4JSZUtnqnvgb1w%3D&reserved=0 Htmlized: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-tiloca-ace-revoked-token-notification&data=04%7C01%7Cmarco.tiloca%40ri.se%7C2d021471fe694f16d57708d9454e8eed%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637617025969303302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w1gv6UXsCjsMvc6FbQg7c0hMa8VOx0BTmWmqTEboqao%3D&reserved=0 Diff: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-tiloca-ace-revoked-token-notification-05&data=04%7C01%7Cmarco.tiloca%40ri.se%7C2d021471fe694f16d57708d9454e8eed%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637617025969303302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=iYNs2cRqNznbQMzyrb6fJPIy9zP82rYoPHouCSmvI2I%3D&reserved=0
Abstract: This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an Authorization Server to notify Clients and Resource Servers (i.e., registered devices) about revoked Access Tokens. The method relies on resource observation for the Constrained Application Protocol (CoAP), with Clients and Resource Servers observing a Token Revocation List on the Authorization Server. Resulting unsolicited notifications of revoked Access Tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on Clients and Resource Servers. The IETF Secretariat
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
