[OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
Hi, I'm trying to do an OAuth 2.0 library, and got a question: I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints. If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary. I'm sorry if the answer is obvious. Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers. Andreas smime.p7s Description: S/MIME cryptographic signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
Hi, As far as I know, the implementation of API endpoints is outside of the specification of OAuth. But the specification of Bearer Tokens state that the endpoint must return the HTTP 403 (Access Denied) status code, along with a WWW-Authenticate: Bearer response header. That should be enough to determine token invalidity. With kind regards, Bart Wiegmans -Oorspronkelijk bericht- Van: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] Namens Andreas Åkre Solberg Verzonden: maandag 9 januari 2012 9:41 Aan: oauth@ietf.org Onderwerp: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries Hi, I'm trying to do an OAuth 2.0 library, and got a question: I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints. If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary. I'm sorry if the answer is obvious. Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers. Andreas ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
Hi, an invalid token should cause the server to reply with status code 401. regards, Torsten. Bart Wiegmans schrieb: Hi, As far as I know, the implementation of API endpoints is outside of the specification of OAuth. But the specification of Bearer Tokens state that the endpoint must return the HTTP 403 (Access Denied) status code, along with a WWW-Authenticate: Bearer response header. That should be enough to determine token invalidity. With kind regards, Bart Wiegmans -Oorspronkelijk bericht- Van: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] Namens Andreas Åkre Solberg Verzonden: maandag 9 januari 2012 9:41 Aan: oauth@ietf.org Onderwerp: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries Hi, I'm trying to do an OAuth 2.0 library, and got a question: I cannot find a standardized way for an OAuth protected endpoint to report to the client that the Token is not valid (expired or revoked). As a library developer, I'd like to take away as much of possible of the OAuth logic from the application. I need a way to distinguish applicaiton specific protocol errors, from OAuth related errors on protected endpoints. If the library could detect this, it could also in example do refresh the token automatically, and even start a new flow if neccessary. I'm sorry if the answer is obvious. Another question on token validity; the optional expires_in parameter. If I would like to indicate permanent validity, how can I express that? I assume that if I leave the parameter out it is not possible to distinguish between 'undefined / not specified' and 'infitite'. Putting the semanthics into a specific scope could off course work, but lack the feature of beeing standardized between providers. Andreas _ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Detecting revoked token in OAuth 2.0 client libraries
Den 9. jan.2012 kl. 17:35 skrev Torsten Lodderstedt: > Hi, > > an invalid token should cause the server to reply with status code 401. Thanks for the tip, both of you. Andreas___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
