I'd like to voice support for Dick's proposal of re-scoping[1] and (in later discussion) revoking access tokens using the refresh token as authentication. I'd like to see us give clients a way to manipulate tokens through OAuth entirely. I also think that revoke should be a separate mechanism from rescoping, and that it should be handled through a parameter, such as "type" in Dick's proposal.
It would not only give us more full token management, I think it will actually help with some redelegation situations that I've been talking about with some of my colleagues here. You can scope an access token down to a subset of your original scopes without user intervention, and then hand that subscoped token to another client. I'll be getting together with folks to talk about this redelegation stuff shortly, so more on that later; but it is something we're definitely interested in, and I've seen others voice interest in it as well. This does raise the question of one refresh token (and therefore one user authorization) being associated with multiple simultaneously-valid access tokens, though. The spec seems to assume a single access token is valid for a given authorization at a time, but is mostly silent on the matter. -- Justin [1] http://www.ietf.org/mail-archive/web/oauth/current/msg02408.html On Fri, 2010-06-11 at 13:02 -0400, Torsten Lodderstedt wrote: > Hi Eran, > > you probably didn't notice my posting. What do you think about adding > a revocation request to the spec? > > regards, > Torsten. > > -------- Original-Nachricht -------- > Betreff: > Re: [OAUTH-WG] in-app logout? > Datum: > Wed, 26 May 2010 20:26:18 +0200 > Von: > Torsten Lodderstedt > <[email protected]> > An: > Eran Hammer-Lahav > <[email protected]> > CC: > OAuth WG ([email protected]) > <[email protected]> > > > Hi Eran, > > in my perception, there is some support on the list for having a request > to revoke refresh tokens. Will you add such a request to the > specification? Do you need a text proposal? > > regards, > Torsten. > > > IMHO this would look more like a hack than proper protocol design. We need > > a delete/revoke operation that's the pendant to the other token operations > > (i.e. > > crud ops). > > > > Hubert > > > > > > > > On Fri, May 21, 2010 at 7:05 PM, Beau Lebens<[email protected]> > > wrote: > > > >> Could this just be implemented through support for a scope change > >> where scope=none or revoke or something? > >> > >> On Friday, May 21, 2010, Lukas Rosenstock<[email protected]> wrote: > >> > >>> Why not simply add this functionality to the token endpoint?The same > >>> place that was used to fetch the access token first or refresh it could > >>> be used to revoke the same token with another request. The only > >>> requirement would be to define something like type=revoke. > >>> I feel that is much easier than making the token a URL which supports > >>> DELETE. > >>> However, any mechanism will break implementations that rely on minimal or > >>> no communication between authorization server and protected resource, > >>> because all protected resources have to be informed. > >>> > >>> Regards, Lukas > >>> > >>> 2010/5/16 Dick Hardt<[email protected]> > >>> > >>> James: An important capability of the refresh token is that it *can* be a > >>> self contained token in that is not an id, but a signed token that can be > >>> examined and acted upon on presentation. > >>> Torsten: enabling a client to revoke a refresh token looks like a useful > >>> mechanism. I anticipate it will be viewed as a vitamin feature rather > >>> than a painkiller and will fall by the wayside unless the security > >>> conscience rally to have it included. > >>> > >>> > >>> -- Dick > >>> > >>> > >>> On Thu, May 13, 2010 at 7:10 AM, Manger, James > >>> H<[email protected]> wrote: > >>> Torsten, > >>> > >>> > >>>> What about refresh token revocation/deletion? > >>>> > >>> HTTP already has a method to do this: DELETE > >>> It just needs each token to have a URI. > >>> > >>> Tokens (almost) already have URIs -- its just not immediately obvious > >>> because the URI has to be built from a common token endpoint and a > >>> refresh_token. > >>> > >>> I think it would improve the spec if refresh_token was renamed to, say, > >>> token_id; and its value defined as a URI (which can be a relative URI so > >>> the string may not need to change at all). > >>> > >>> To refresh a token you POST to the token's URI. > >>> To delete a token you send a DELETE request to the token's URI. > >>> > >>> It doesn't cause major changes, but there are some benefits. > >>> It is a more web-style design. > >>> It leaves only 1 type of token in the spec -- an access token -- which > >>> simplifies the text and aids understanding. > >>> There are no arguments about length, allowed chars etc because it is a > >>> URI -- a well-known type, often with native support. > >>> Its obvious how to delete the token as there is a standard HTTP method > >>> DELETE to apply to the token URI. > >>> > >>> If a particular service supported an additional way to delete items in > >>> its API (eg POST with a method=delete query parameter) that could apply > >>> to the OAuth part as well. > >>> > >>> -- > >>> James Manger > >>> _______________________________________________ > >>> OAuth mailing list > >>> [email protected] > >>> https://www.ietf.org/mailman/listinfo/oauth > >>> > >>> > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> [email protected] > >>> https://www.ietf.org/mailman/listinfo/oauth > >>> > >>> > >>> > >>> -- > >>> http://lukasrosenstock.net/ > >>> > >>> > >>> > >> _______________________________________________ > >> OAuth mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/oauth > >> > >> > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
