Closed mrpotes closed 6 years ago
jricher
commented
6 years ago For this, Alice can revoke all of Dr. Bob's tokens, including the refresh token.
The language in question was put in there to keep people from tying all the original claims to the refresh token and re-running the engine on it. The refresh token should be there to refresh a valid existing authorization -- if that authorization isn't valid anymore, the refresh token shouldn't be valid either.
mrpotes
commented
6 years ago Interesting, so on any policy change the AS needs to re-evaluate all tokens that have been issued for that resource?
If so, should this be mentioned?
On 28 Jul 2017 6:20 pm, "Justin Richer" notifications@github.com wrote:
For this, Alice can revoke all of Dr. Bob's tokens, including the refresh token.
The language in question was put in there to keep people from tying all the original claims to the refresh token and re-running the engine on it. The refresh token should be there to refresh a valid existing authorization -- if that authorization isn't valid anymore, the refresh token shouldn't be valid either.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/KantaraInitiative/wg-uma/issues/348#issuecomment-318712819, or mute the thread https://github.com/notifications/unsubscribe-auth/AA6kNnrhIye-tNnIGem6IHc9-_EcHKK7ks5sShhkgaJpZM4OmtPY .
jricher
commented
6 years ago It could do that, but I think you'd be hard pressed to say that's "should" -- after all, the tokens were valid when they were issued. And what does it mean for a token to be reevaluated, anyway? Does that mean the server has to store all of the original claims that were used to issue the token? That's a huge privacy risk (which is pointed out in the considerations section regarding the PCT, and is mitigated by its use). Plus some of those claims might be expired anyway, so what's an AS to do in that case?
If you wanted to implement a cascade, you could instead tie to the policy that was fulfilled to issue a token, by internal reference, and cascade a delete on downstream tokens on every edit. That's a bit extreme, but it's cautious.
I think instead the AS needs to let Alice say things like "revoke tokens issued to this client" or "revoke tokens on this resource", for instance. But that's just internal token management and UI, not really anything for our spec to say something about. If the AS wants to get fancy and figure out that a client was Dr Bob's client (a tricky thing to do in a cross-domain world), then it could expose that label to Alice, too. But this isn't about changing Alice's policy, it's about Alice making a decision about what has access right this second.
I believe the text as written is fine in this regard.
xmlgrrl
commented
6 years ago Right, there are TTL strategy and UX implications here. Alice certainly doesn't think in terms of tokens. She thinks -- if anything -- possibly in terms of policy or sharing/unsharing or something. If she wants to "stop sharing" something with somebody, it behooves the AS to do what it can in preparation for resource requests coming from them. So it sounds like there are a) some implications for AS sophistication here, and b) maybe some implications for those profiling UMA who want to get specific about how deep the rabbit hole goes. (Disconnected and stateless deployment use cases?)
xmlgrrl
commented
6 years ago Eve and James discussion:
Eve is starting to come down on the side of:
We also discussed the notion of letting the client add an optional PCT to its refresh request, which still would count as "back-channel". See 6749 Sec 6. We'd also have to include our definition of this/how to use it in our IANA registration request for OAuth parameters. Actually, let's say the client has an expired RPT and tries a refresh. If it fails, the client could just turn around and approach the token endpoint as normal, with a PCT; that's a kind of "back-channel refreshing flow with PCT" without having to change/add anything here.
Do we need to clarify this point? If the refresh is not possible but the client has an expired RPT (particularly in cases where the permissions last longer than the RPT itself), it should still be able to submit that RPT for an upgrade. So maybe #349 isn't actually an error at all, as long as the RPT belongs to this client etc.
Maybe we could see the refresh flow as the version of refresh that definitely doesn't involve re-evaluation and thus could only ever refresh the RPT's active status and token-level parameters, and the RPT upgrade flow (with PCT as necessary) as the version of "refresh" (really on a refresh-upgrade continuum involving the RPT contents) that definitely does involve re-evaluation.
In an enterprise WAM setting, you might have agents that cache policy and detect when a resource has been affected by a policy change. Here, a) the "user" (RqP) isn't there, and b) we've got an OAuth-based architecture: it's about tokens and entitlements (permissions/scopes) within them as an indirection layer between policy and access requests.
Eve will send an email to the WG list outlining the options we can think of.
xmlgrrl
commented
6 years ago Per UMA telecon 2017-08-23 (see complete notes there; these decisions relate to #349 too):
(Regarding the last bullet: In other words, this is not a V2.0 issue.)
Section 3.6 states that:
However, consider the following scenario:
This seems contrary to HIPA and GDPR (and others), which (as I understand it, IANAL) guarantee a right to revoke and require a best effort on the part of the AS to enforce that revocation.