In our architecture, revoking the specific token would mean revoking access to the app, which is something we don't want to do.
We just return an error message but do not invalidate the token. I think that this is fine. Since it doesn't work, it will only be encountered in development. On Oct 13, 2010, at 6:33 PM, Eran Hammer-Lahav wrote: > Write it, and I'll get it incorporated. > > EHL > >> -----Original Message----- >> From: Breno [mailto:breno.demedei...@gmail.com] >> Sent: Wednesday, October 13, 2010 4:49 PM >> To: Jeff Lindsay >> Cc: Eran Hammer-Lahav; oauth@ietf.org >> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >> >> +1 for language in the spec describing how to handle this case >> >> On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <progr...@twilio.com> wrote: >>>> Hopefully you also invalidate the token (if bearer) since it was send >>>> over an insecure channel. >>> >>> Excuse my naivety, but perhaps that's worth putting in the spec? >>> >>>> >>>> EHL >>>> >>>>> -----Original Message----- >>>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On >>>>> Behalf Of Breno >>>>> Sent: Wednesday, October 13, 2010 11:31 AM >>>>> To: oauth@ietf.org >>>>> Subject: [OAUTH-WG] Request sent to http: instead of https:` >>>>> >>>>> Suppose server A documents that their endpoint X is at >>>>> https://server.example.com/x; there's no service at the >>>>> corresponding http location for security reasons. >>>>> >>>>> Client developer fatfingers URL as http://server.example.com/x >>>>> >>>>> What is the correct response? I understand that this is out of >>>>> scope for the spec, but maybe there's agreement on some guidance? >>>>> >>>>> One thing one shouldn't do is serve a 302 here; it would allow >>>>> defective clients to remain unpatched. >>>>> >>>>> My preference is to simply return a bare 403 or 404 here -- after >>>>> all the endpoint does not exist (404) or if one uses the convention >>>>> that resources at http/https are usually identical, then http is a >>>>> non-authorized method to access the resource (403). >>>>> >>>>> Thoughts? >>>>> >>>>> -- >>>>> Breno de Medeiros >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >> >> >> -- >> Breno de Medeiros > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
