Thanks very much for for your thoughts.

With your comments in mind, our current thinking is that the initial requests'  
scope will determine the access token's life. 

If a 'write scope' is requested, a write-lock is placed on the corresponding 
record and the token is valid for one write operation (with a short 
expires_in), after which the write-lock is released and the token's expires 
timestamp is set to a time in the past, allowing the caller to use a refresh 
token to resume read-only operations using newly created access token.

In this scenario, the "expires_in" value will be used to revoke the access 
token, rather than an explicit delete.

I'd be really interested in getting peoples views on how this adheres to the 
the current OAuth 2 specification.

Thanks again,

Dec


On 8 Nov 2011, at 15:35, William Mills wrote:

> The problem is that the token has no state about the transaction.  Is the 
> transaction already determined when the token is issued?  If so then put the 
> transaction dat ain the token and make it non-repeatable.
> 
> If this is an auth token for an arbitrary single action you have to put some 
> form of replay protection on the protected resource, or you can immediately 
> revoke the token after use against a revocation API and make sure the RP is 
> checking for revoked tokens against the same API/endpoint.  You do have a 
> race here, so you have to sort out what you'll make synchronous calls against 
> for this.
> 
> Regards,
> 
> -bill
> 
> From: Declan Newman <declan.new...@semantico.com>
> To: oauth@ietf.org
> Cc: Will Simpson <will.simp...@semantico.com>; Geoffrey Bilder 
> <gbil...@crossref.org>
> Sent: Tuesday, November 8, 2011 1:58 AM
> Subject: [OAUTH-WG] Single transaction token
> 
> Hello,
> 
> We're currently implementing OAuth 2 provider for a client, whom needs to 
> have the facility to authenticate/authorise a client to update in a single 
> transaction.
> 
> Is there a way to specify the validity of a token on a per-transaction basis, 
> as opposed to a timeframe?
> 
> Any help much appreciated.
> 
> Regards,
> 
> Dec
> 
> ----------------------------------------------------------------------------
> Declan Newman, Development Team Leader,
> Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
> <mailto:declan.new...@semantico.com>
> <tel:+44-1273-358247>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 

----------------------------------------------------------------------------
Declan Newman, Development Team Leader,
Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
<mailto:declan.new...@semantico.com>
<tel:+44-1273-358247>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to