Nothing here is at all in variance with the OAuth 2 spec. Everything you're talkign abotu fits nicely into the "put your own application data into an opaque token.
________________________________ From: Declan Newman <declan.new...@semantico.com> To: William Mills <wmi...@yahoo-inc.com> Cc: oauth@ietf.org; Geoffrey Bilder <gbil...@crossref.org>; Will Simpson <will.simp...@semantico.com> Sent: Tuesday, November 8, 2011 2:36 PM Subject: Re: [OAUTH-WG] Single transaction token Thanks very much for for your thoughts. With your comments in mind, our current thinking is that the initial requests' scope will determine the access token's life. If a 'write scope' is requested, a write-lock is placed on the corresponding record and the token is valid for one write operation (with a short expires_in), after which the write-lock is released and the token's expires timestamp is set to a time in the past, allowing the caller to use a refresh token to resume read-only operations using newly created access token. In this scenario, the "expires_in" value will be used to revoke the access token, rather than an explicit delete. I'd be really interested in getting peoples views on how this adheres to the the current OAuth 2 specification. Thanks again, Dec On 8 Nov 2011, at 15:35, William Mills wrote: The problem is that the token has no state about the transaction. Is the transaction already determined when the token is issued? If so then put the transaction dat ain the token and make it non-repeatable. > > >If this is an auth token for an arbitrary single action you have to put some >form of replay protection on the protected resource, or you can immediately >revoke the token after use against a revocation API and make sure the RP is >checking for revoked tokens against the same API/endpoint. You do have a race >here, so you have to sort out what you'll make synchronous calls against for >this. > > >Regards, > > >-bill > > > > >________________________________ >From: Declan Newman <declan.new...@semantico.com> >To: oauth@ietf.org >Cc: Will Simpson <will.simp...@semantico.com>; Geoffrey Bilder ><gbil...@crossref.org> >Sent: Tuesday, November 8, 2011 1:58 AM >Subject: [OAUTH-WG] Single transaction token > > >Hello, > > >We're currently implementing OAuth 2 provider for a client, whom needs to have >the facility to authenticate/authorise a client to update in a single >transaction. > > >Is there a way to specify the validity of a token on a per-transaction basis, >as opposed to a timeframe? > > >Any help much appreciated. > > >Regards, > > >Dec > > >---------------------------------------------------------------------------- >Declan Newman, Development Team Leader, >Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE ><mailto:declan.new...@semantico.com> ><tel:+44-1273-358247> > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > > ---------------------------------------------------------------------------- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE <mailto:declan.new...@semantico.com> <tel:+44-1273-358247>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
