My concern with leaving both specs separated is that over time the
semantics of the two error codes could diverge and that would be
confusing for developers. If we don't want to create a dependency on RFC
6750, then I would recommend a change to the error code name so that
there is no name collision or confusion.
Thanks,
George
On 1/7/13 11:18 AM, Torsten Lodderstedt wrote:
Hi George,
thank you for pointing this out. Your proposal sounds reasonable
although the revocation spec does not build on top of RFC 6750.
As refering to RFC 6750 would create a new dependency, one could also
argue it would be more robust to leave both specs separated.
What do others think?
regards,
Torsten.
Am 07.01.2013 17:12, schrieb George Fletcher:
One quick comment...
Section 2.0: Both RFC 6750 and this specification define the
'invalid_token' error code.
Should this spec reference the error code from RFC 6750?
Thanks,
George
On 1/7/13 7:08 AM, Torsten Lodderstedt wrote:
Hi,
the new revision is based on the WGLC feedback and incorporates the
following changes:
- renamed "access grant" to "authorization" and reworded parts of
Abstract and Intro in order to better align with core spec wording
(feedback by Amanda)
- improved formatting of section 2.1. (feedback by Amanda)
- improved wording of last paragraph of section 6 (feedback by Amanda)
- relaxed the expected behavior regarding revocation of related
tokens and the authorization itself in order to remove unintended
constraints on implementations (feedback by Mark)
- replaced description of error handling by pointer to respective
section of core spec (as proposed by Peter)
- adopted proposed text for implementation note (as proposed by Hannes)
regards,
Torsten.
Am 07.01.2013 13:00, schrieb internet-dra...@ietf.org:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol
Working Group of the IETF.
Title : Token Revocation
Author(s) : Torsten Lodderstedt
Stefanie Dronia
Marius Scurtescu
Filename : draft-ietf-oauth-revocation-04.txt
Pages : 8
Date : 2013-01-07
Abstract:
This document proposes an additional endpoint for OAuth
authorization
servers, which allows clients to notify the authorization
server that
a previously obtained refresh or access token is no longer needed.
This allows the authorization server to cleanup security
credentials.
A revocation request will invalidate the actual token and, if
applicable, other tokens based on the same authorization.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-revocation-04
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-revocation-04
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
