Hi Bob,
On 26/11/12 10:47, Bob Gregory wrote:
Hi Sergey,
We are less concerned about failure during the initial authorization,
since an end-user might reasonably expect to be asked to sign in again
if a failure occurs.
Indeed
What's awkward here is that the user has been
successfully using the application for some time, and - from their
perspective - is suddenly signed out for no obvious reason.
I guess the issue can be treated in principle the same as if a client
has had its current access token expired and no refresh token has been
provided, which I guess has to be dealt the same way when an
authorization code grant has been lost, as you suggested above...
I'd consider some sort of RM support really helping to mitigate, but I
may be wrong :-)
Sergey
Can anybody with experience in deploying OAuth2 for mobile applications
proffer advice? We can't be the only people seeing this, so I wonder if
other implementers are mitigating the problem somehow.
-- Bob Gregory
On Mon, Nov 26, 2012 at 9:53 AM, Sergey Beryozkin <[email protected]
<mailto:[email protected]>> wrote:
On 23/11/12 12:43, Bob Gregory wrote:
> We've had OAuth2 running successfully for a while now, but we're
finding
> that mobile applications have frequent problems with the refresh flow
> where a refresh request is made, but the network connection fails
before
> the new AT/RT pair is received, leading to a "lost grant".
>
> In server-logs we can see that the token has been refreshed, and
a new
> RT issued, but the client is stuck with the old invalidated RT.
>
> This problem has been reported by two separate client
applications, both
> of whom are using a retry-mechanism for API requests since they
expect
> an unreliable network connection.
>
> Does anybody have any guidance on this issue, or is there any
work in an
> extension to address the issue of lost grants for token refreshes?
>
I wonder if a RM support is needed at the transport/protocol level for
this to work reliably ?
The same issue would also arise when an authorization code grant which
is expected to be used only once is validated on the server and a new
access token has not made it back to the client due to a connection
loss...
Sergey
>
> --
> Q. How many members of a demographic group does it take to perform a
> specified task?
> A. A finite number; one to perform the task, and the remainder to
act in
> a manner stereotypical of the group in question.
>
>
>
> _______________________________________________
> OAuth mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
--
Bob Gregory | Application Architect | Huddle – manage projects, files
and people in the cloud
Email: [email protected] <mailto:[email protected]> | Skype: flinkywistypomm
Web: www.huddle.com <http://www.huddle.com> | Blog: blog.huddle.net
<http://blog.huddle.net> | Twitter: @bobfromhuddle
UK office: Unit B, Gemini House, 180 Bermondsey Street, London, SE1 3TQ
US office: 425 Bush Street, Suite 435, San Francisco CA 94108
Free Huddle trial! Sign up for a 14-day free trial and find out why
85,000 businesses use Huddle
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
