Hi George,
thank you for pointing this out. Your proposal sounds reasonable
although the revocation spec does not build on top of RFC 6750.
As refering to RFC 6750 would create a new dependency, one could also
argue it would be more robust to leave both specs separated.
What do others think?
regards,
Torsten.
Am 07.01.2013 17:12, schrieb George Fletcher:
One quick comment...
Section 2.0: Both RFC 6750 and this specification define the
'invalid_token' error code.
Should this spec reference the error code from RFC 6750?
Thanks,
George
On 1/7/13 7:08 AM, Torsten Lodderstedt wrote:
Hi,
the new revision is based on the WGLC feedback and incorporates the
following changes:
- renamed "access grant" to "authorization" and reworded parts of
Abstract and Intro in order to better align with core spec wording
(feedback by Amanda)
- improved formatting of section 2.1. (feedback by Amanda)
- improved wording of last paragraph of section 6 (feedback by Amanda)
- relaxed the expected behavior regarding revocation of related
tokens and the authorization itself in order to remove unintended
constraints on implementations (feedback by Mark)
- replaced description of error handling by pointer to respective
section of core spec (as proposed by Peter)
- adopted proposed text for implementation note (as proposed by Hannes)
regards,
Torsten.
Am 07.01.2013 13:00, schrieb internet-dra...@ietf.org:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol
Working Group of the IETF.
Title : Token Revocation
Author(s) : Torsten Lodderstedt
Stefanie Dronia
Marius Scurtescu
Filename : draft-ietf-oauth-revocation-04.txt
Pages : 8
Date : 2013-01-07
Abstract:
This document proposes an additional endpoint for OAuth
authorization
servers, which allows clients to notify the authorization server
that
a previously obtained refresh or access token is no longer needed.
This allows the authorization server to cleanup security
credentials.
A revocation request will invalidate the actual token and, if
applicable, other tokens based on the same authorization.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-revocation-04
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-revocation-04
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
