Re: [OAUTH-WG] 4/17 draft feedback: token != identifier

Wed, 21 Apr 2010 13:00:30 -0700 

New text:

        When issuing an access token, the scope, duration, and other access 
attributes granted by
        the resource owner must be retained and enforced by the resource server 
when receiving a
        protected resource request and by the authorization server when 
receiving a token refresh
        request made with the access token issued.


EHL

From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran 
Hammer-Lahav
Sent: Sunday, April 18, 2010 10:21 PM
To: Dick Hardt; OAuth WG
Subject: Re: [OAUTH-WG] 4/17 draft feedback: token != identifier

Noted. I'll tweak the text to accommodate this scenario. Note that 'the 
authorization server MUST retain the scope' is met if the scope is encoded into 
the token and later verified when used. It doesn't say how the scope must be 
retained. But I see your point.

EHL

From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Dick 
Hardt
Sent: Sunday, April 18, 2010 7:12 PM
To: OAuth WG
Subject: [OAUTH-WG] 4/17 draft feedback: token != identifier

The spec describes the access token as an identifier. One of the key 
capabilities of WRAP was that the token could be self contained. The PR could 
make an access control decision by examining the access token and not calling 
the AS.

The token is referred to as an identifier in the Abstract, Introduction, and in 
2.1 access token.

Similarly, the Refresh Token can be a self contained token and not an 
identifier contrary to the definition in 2.1

This also comes up in S 3. Obtaining an Access Token

   When issuing an access token, the authorization server MUST retain the 
scope, duration, and

        other access attributes granted by the resource owner, and enforce 
these restrictions when

        receiving a protected resource request made with the access token 
issued.
This paragraph is not true if the AS embeds the scope, duration etc. into the 
token itself. This paragraph implies that the PR calls the AS with the access 
token. This is not needed if the access token is self contained.

-- Dick


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to