Re: [OAUTH-WG] Review of Token Revocation draft
Justin Richer <jricher@mitre.org> Mon, 03 December 2012 15:31 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A6F21F842E for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2012 07:31:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.424
X-Spam-Level:
X-Spam-Status: No, score=-6.424 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnkLBwNdbqZr for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2012 07:31:02 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 81FF121F8863 for <oauth@ietf.org>; Mon, 3 Dec 2012 07:30:55 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 96B5E43900A6 for <oauth@ietf.org>; Mon, 3 Dec 2012 10:30:53 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3582A4510026 for <oauth@ietf.org>; Mon, 3 Dec 2012 10:30:53 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.4; Mon, 3 Dec 2012 10:30:52 -0500
Message-ID: <50BCC54D.5060609@mitre.org>
Date: Mon, 03 Dec 2012 10:29:17 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "Anganes, Amanda L" <aanganes@mitre.org>
References: <MLQM-20121130163426516-155207@mlite.mitre.org>
In-Reply-To: <MLQM-20121130163426516-155207@mlite.mitre.org>
Content-Type: multipart/alternative; boundary="------------040601050608070009060206"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of Token Revocation draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2012 15:31:05 -0000
An early draft of the revocation spec had this token type field, for this purpose. From an early conversation on the list with Torsten, we decided that most of the time it didn't matter, as different classes of token would be recognizable as different by the AS. In some implementations (like ours), this means checking different token stores in parallel for a given token value. In other implementations, they can key on something in the token to make the search more simple. But one of the reasons behind not having a "token type" parameter any more is that OAuth core defines two token classes: access and refresh. OpenID Connect adds another type, the id token. UMA adds a whole range of other types, from host access tokens and onward. Even dynamic registration adds a new class, the registration access token. So the problem is how do we manage all of these classes? Right now, the answer is "punt" by not having the field and putting the weight on the AS. But maybe we can revisit this decision with a bit more deployment experience. The way I see it, we've got a few options: 1) Leave it as-is, with no field. Client/RS/whoever just sends the token over and it's the AS's problem. 2) Define a required field with "access" and "refresh" value semantics, and state that other values MAY be accepted by a given AS, or defined by extension protocols. These extension values MUST be fully qualified URIs. 3) Same as #2, but with IANA registry to allow for non-collision of short names. 4) Define an optional field that the client MAY send as a hint to the AS, and it's up to the AS to figure out if it makes any sense in the context of the request. All bets are off as to the content of this field, other than "it's a string". There may be other approaches as well. -- Justin On 11/30/2012 04:28 PM, Anganes, Amanda L wrote: > Here is my review of the Toke Revocation draft > (http://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/): > > Section 1. Introduction > First paragraph has the following definition in it: "A token is the > external representation of an access grant issued by a resource owner > to a particular client." This seems a bit odd to me. The OAuth2 spec > [1] defines "access token" as "An access token is a string > representing an authorization issued to the client." (section 1.4) and > "refresh token" as "credentials used to obtain access tokens (section > 1.5). Should this spec borrow similar language to be more consistent? > > Paragraph 2 "From an end-user's perception" should be "From an > end-user's perspective". > > Section 2. Token Revocation > What is the reason for requiring the service provider to detect the > token type automatically? For our implementation, Access Tokens, > Refresh Tokens, and ID Tokens are all structured tokens (with unique > structures across the three types), and as such are stored in 3 > separate database tables. In order to "detect" the token type, we > would need to run a get-by-value query across all three tables, check > if any of those queries returned anything, and then proceed to revoke > the token (if one was found). This does not seem ideal to me. > > The spec says that "The authorization server first validates the > client credentials (in case of a confidential client) and verifies > whether the client is authorized to revoke the particular token." What > does this verification entail? Does it just mean that 1) the client > credentials must validate and 2) the token must belong to the client > requesting the revocation? If so I think the text should be clarified > to reflect that. Or are you thinking of a case where a client might > not be allowed to revoke its own tokens, via some kind of scoping? > > 2.1 Cross Origin Support > Formatting looks a little off here, otherwise this section looks fine. > > 5. Security Considerations > Paragraph 3 (Malicious clients...): "Appropriate countermeasures, > which should be in place for the token endpoint as well, MUST be > applied to the revocation endpoint." These countermeasures should be > referenced to the proper section(s) of the OAuth core spec or Threat > Model document. > > Paragraph 4 reads a bit oddly. Suggest following rewording: > "A malicious client may attempt to guess valid tokens on this endpoint > by making revocation requests against potential token strings. > According to this specification, a client's request must contain a > valid client_id, in the case of a public client, or valid client > credentials, in the case of a confidential client. The token being > revoked must also belong to the requesting client. If an attacker is > able to successfully guess a public client's client_id and one of > their tokens, or a private client's credentials and one of their > tokens, they could do much worse damage by using the token elsewhere > than by revoking it. If they chose to revoke the token, the legitimate > client will lose its authorization and will need to prompt the user > again. No further damage is done and the guessed token is now worthless." > > References: > [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-31 > > -- > Amanda Anganes > Info Sys Engineer, G061 > The MITRE Corporation > 781-271-3103 > aanganes@mitre.org > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review of Token Revocation draft Anganes, Amanda L
- Re: [OAUTH-WG] Review of Token Revocation draft Justin Richer
- [OAUTH-WG] Review of Token Revocation draft Peter Mauritius
- Re: [OAUTH-WG] Review of Token Revocation draft Torsten Lodderstedt
- Re: [OAUTH-WG] Review of Token Revocation draft Torsten Lodderstedt
- Re: [OAUTH-WG] Review of Token Revocation draft Torsten Lodderstedt
- Re: [OAUTH-WG] Review of Token Revocation draft John Bradley
- Re: [OAUTH-WG] Review of Token Revocation draft Sergey Beryozkin
- Re: [OAUTH-WG] Review of Token Revocation draft Amanda Anganes
- Re: [OAUTH-WG] Review of Token Revocation draft Torsten Lodderstedt
- Re: [OAUTH-WG] Review of Token Revocation draft Torsten Lodderstedt
- Re: [OAUTH-WG] Review of Token Revocation draft Justin Richer
- Re: [OAUTH-WG] Review of Token Revocation draft Sergey Beryozkin