Not true if I revoke the token after it's been issued but before it expires.
On 7/29/2014 8:49 PM, Mike Jones wrote:
Yes, but that's the simplest thing to determine -- try the token and
see whether it works or not.
*From:*Thomas Broyer [mailto:t.bro...@gmail.com]
*Sent:* Tuesday, July 29, 2014 5:43 PM
*To:* Mike Jones
*Cc:* <oauth@ietf.org>; George Fletcher; Phil Hunt
*Subject:* RE: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
Token Introspection" as an OAuth Working Group Item
Decoding a token with a specific format wouldn't tell you whether the
token is still live: it could have been revoked before its expiration.
Le 30 juil. 2014 02:16, "Mike Jones" <michael.jo...@microsoft.com
<mailto:michael.jo...@microsoft.com>> a écrit :
Did you consider standardizing the access token format within that
deployment so all the parties that needed to could understand it,
rather requiring an extra round trip to an introspection endpoint so
as to be able to understand things about it?
I realize that might or might not be practical in some cases, but I
haven't heard that alternative discussed, so I thought I'd bring it up.
I also second Phil's comment that it would be good to understand the
use cases that this is intended to solve before embarking on a
particular solution path.
-- Mike
*From:*OAuth [mailto:oauth-boun...@ietf.org
<mailto:oauth-boun...@ietf.org>] *On Behalf Of *George Fletcher
*Sent:* Tuesday, July 29, 2014 3:25 PM
*To:* Phil Hunt; Thomas Broyer
*Cc:* oauth@ietf.org <mailto:oauth@ietf.org>
*Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
Token Introspection" as an OAuth Working Group Item
We also have a use case where the AS is provided by a partner and the
RS is provided by AOL. Being able to have a standardized way of
validating and getting data about the token from the AS would make our
implementation much simpler as we can use the same mechanism for all
Authorization Servers and not have to implement one off solutions for
each AS.
Thanks,
George
On 7/28/14, 8:11 PM, Phil Hunt wrote:
Could we have some discussion on the interop cases?
Is it driven by scenarios where AS and resource are separate
domains? Or may this be only of interest to specific protocols
like UMA?
From a technique principle, the draft is important and sound. I am
just not there yet on the reasons for an interoperable standard.
Phil
On Jul 28, 2014, at 17:00, Thomas Broyer <t.bro...@gmail.com
<mailto:t.bro...@gmail.com>> wrote:
Yes. This spec is of special interest to the platform we're
building for http://www.oasis-eu.org/
On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
<hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>>
wrote:
Hi all,
during the IETF #90 OAuth WG meeting, there was strong
consensus in
adopting the "OAuth Token Introspection"
(draft-richer-oauth-introspection-06.txt) specification as an
OAuth WG
work item.
We would now like to verify the outcome of this call for
adoption on the
OAuth WG mailing list. Here is the link to the document:
http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
If you did not hum at the IETF 90 OAuth WG meeting, and have
an opinion
as to the suitability of adopting this document as a WG work item,
please send mail to the OAuth WG list indicating your opinion
(Yes/No).
The confirmation call for adoption will last until August 10,
2014. If
you have issues/edits/comments on the document, please send these
comments along to the list in your response to this Call for
Adoption.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
Thomas Broyer
/t?.ma.b?wa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth