| draft-parecki-oauth-global-token-revocation-02.txt | draft-parecki-oauth-global-token-revocation-03.txt | |||
|---|---|---|---|---|
| Web Authorization Protocol A. Parecki | Web Authorization Protocol A. Parecki | |||
| Internet-Draft Okta | Internet-Draft Okta | |||
| Intended status: Standards Track 2 March 2024 | Intended status: Standards Track 21 March 2024 | |||
| Expires: 3 September 2024 | Expires: 22 September 2024 | |||
| Global Token Revocation | Global Token Revocation | |||
| draft-parecki-oauth-global-token-revocation-02 | draft-parecki-oauth-global-token-revocation-03 | |||
| Abstract | Abstract | |||
| Global Token Revocation enables parties such as a security incident | Global Token Revocation enables parties such as a security incident | |||
| management tool or an external Identity Provider to send a request to | management tool or an external Identity Provider to send a request to | |||
| an Authorization Server to indicate that it should revoke all of the | an Authorization Server to indicate that it should revoke all of the | |||
| user's existing tokens and require that the user re-authenticates | user's existing tokens and require that the user re-authenticates | |||
| before issuing new tokens. | before issuing new tokens. | |||
| About This Document | About This Document | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| The latest revision of this draft can be found at | The latest revision of this draft can be found at | |||
| https://aaronpk.github.io/global-token-revocation/draft-parecki- | https://drafts.aaronpk.com/global-token-revocation/draft-parecki- | |||
| oauth-global-token-revocation.html. Status information for this | oauth-global-token-revocation.html. Status information for this | |||
| document may be found at https://datatracker.ietf.org/doc/draft- | document may be found at https://datatracker.ietf.org/doc/draft- | |||
| parecki-oauth-global-token-revocation/. | parecki-oauth-global-token-revocation/. | |||
| Discussion of this document takes place on the Web Authorization | Discussion of this document takes place on the Web Authorization | |||
| Protocol Working Group mailing list (mailto:oauth@ietf.org), which is | Protocol Working Group mailing list (mailto:oauth@ietf.org), which is | |||
| archived at https://mailarchive.ietf.org/arch/browse/oauth/. | archived at https://mailarchive.ietf.org/arch/browse/oauth/. | |||
| Subscribe at https://www.ietf.org/mailman/listinfo/oauth/. | Subscribe at https://www.ietf.org/mailman/listinfo/oauth/. | |||
| Source for this draft and an issue tracker can be found at | Source for this draft and an issue tracker can be found at | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 3 September 2024. | This Internet-Draft will expire on 22 September 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 42 ¶ | skipping to change at page 2, line 42 ¶ | |||
| 3. Token Revocation . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Token Revocation . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Revocation Endpoint . . . . . . . . . . . . . . . . . . . 4 | 3.1. Revocation Endpoint . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Revocation Request . . . . . . . . . . . . . . . . . . . 4 | 3.2. Revocation Request . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Revocation Expectations . . . . . . . . . . . . . . . . . 6 | 3.3. Revocation Expectations . . . . . . . . . . . . . . . . . 6 | |||
| 3.4. Revocation Response . . . . . . . . . . . . . . . . . . . 6 | 3.4. Revocation Response . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4.1. Successful Response . . . . . . . . . . . . . . . . . 6 | 3.4.1. Successful Response . . . . . . . . . . . . . . . . . 6 | |||
| 3.4.2. Error Response . . . . . . . . . . . . . . . . . . . 6 | 3.4.2. Error Response . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Revocation of Access Tokens . . . . . . . . . . . . . . . . . 7 | 4. Revocation of Access Tokens . . . . . . . . . . . . . . . . . 7 | |||
| 5. Authorization Server Metadata . . . . . . . . . . . . . . . . 7 | 5. Authorization Server Metadata . . . . . . . . . . . . . . . . 7 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.1. Enumeration of User Accounts . . . . . . . . . . . . . . 8 | 6.1. Authentication of Revocation Request . . . . . . . . . . 8 | |||
| 6.2. Enumeration of User Accounts . . . . . . . . . . . . . . 8 | ||||
| 6.3. Malicious Authorization Server . . . . . . . . . . . . . 9 | ||||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7.1. OAuth Authorization Server Metadata . . . . . . . . . . . 9 | 7.1. OAuth Authorization Server Metadata . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Relationship to Related Specifications . . . . . . . 10 | Appendix A. Relationship to Related Specifications . . . . . . . 11 | |||
| A.1. RFC7009: Token Revocation . . . . . . . . . . . . . . . . 10 | A.1. RFC7009: Token Revocation . . . . . . . . . . . . . . . . 11 | |||
| A.2. OpenID Connect Front-Channel Logout . . . . . . . . . . . 11 | A.2. OpenID Connect Front-Channel Logout . . . . . . . . . . . 11 | |||
| A.3. OpenID Connect Back-Channel Logout . . . . . . . . . . . 11 | A.3. OpenID Connect Back-Channel Logout . . . . . . . . . . . 12 | |||
| A.4. Shared Signals Framework . . . . . . . . . . . . . . . . 12 | A.4. Shared Signals Framework . . . . . . . . . . . . . . . . 12 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 13 | ||||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 13 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 1. Introduction | 1. Introduction | |||
| An OAuth Authorization Server issues tokens in response to a user | An OAuth Authorization Server issues tokens in response to a user | |||
| authorizing a client. A party external to the OAuth Authorization | authorizing a client. A party external to the OAuth Authorization | |||
| Server may wish to instruct the Authorization Server to revoke all | Server may wish to instruct the Authorization Server to revoke all | |||
| tokens belonging to a particular user, and prevent the server from | tokens belonging to a particular user, and prevent the server from | |||
| issuing new tokens until the user re-authenticates. | issuing new tokens until the user re-authenticates. | |||
| For example, a security incident management tool may detect anomalous | For example, a security incident management tool may detect anomalous | |||
| skipping to change at page 5, line 23 ¶ | skipping to change at page 5, line 23 ¶ | |||
| The following example requests that all tokens for a user identified | The following example requests that all tokens for a user identified | |||
| by an email address be revoked: | by an email address be revoked: | |||
| POST /global-token-revocation | POST /global-token-revocation | |||
| Host: example.com | Host: example.com | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Authorization: Bearer f5641763544a7b24b08e4f74045 | Authorization: Bearer f5641763544a7b24b08e4f74045 | |||
| { | { | |||
| "subject": { | "sub_id": { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| } | } | |||
| } | } | |||
| If the user identifier at the authorization server is known by the | If the user identifier at the authorization server is known by the | |||
| system making the revocation request, the request can use the "Opaque | system making the revocation request, the request can use the "Opaque | |||
| Identifer" format to provide the user identifier: | Identifer" format to provide the user identifier: | |||
| POST /global-token-revocation | POST /global-token-revocation | |||
| Host: example.com | Host: example.com | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Authorization: Bearer f5641763544a7b24b08e4f74045 | Authorization: Bearer f5641763544a7b24b08e4f74045 | |||
| { | { | |||
| "subject": { | "sub_id": { | |||
| "format": "opaque", | "format": "opaque", | |||
| "id": "e193177dfdc52e3dd03f78c" | "id": "e193177dfdc52e3dd03f78c" | |||
| } | } | |||
| } | } | |||
| If it is expected that the authorization server knows about the user | If it is expected that the authorization server knows about the user | |||
| identifier at the IdP, the request can use the "Issuer and Subject | identifier at the IdP, the request can use the "Issuer and Subject | |||
| Identifier" format: | Identifier" format: | |||
| POST /global-token-revocation | POST /global-token-revocation | |||
| Host: example.com | Host: example.com | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Authorization: Bearer f5641763544a7b24b08e4f74045 | Authorization: Bearer f5641763544a7b24b08e4f74045 | |||
| { | { | |||
| "subject": { | "sub_id": { | |||
| "format": "iss_sub", | "format": "iss_sub", | |||
| "iss": "https://issuer.example.com/", | "iss": "https://issuer.example.com/", | |||
| "sub": "af19c476f1dc4470fa3d0d9a25" | "sub": "af19c476f1dc4470fa3d0d9a25" | |||
| } | } | |||
| } | } | |||
| 3.3. Revocation Expectations | 3.3. Revocation Expectations | |||
| Upon receiving a revocation request, authorizing the request, and | Upon receiving a revocation request, authorizing the request, and | |||
| validating the identified user, the Authorization Server: | validating the identified user, the Authorization Server: | |||
| * MUST revoke all active refresh tokens | * MUST revoke all active refresh tokens | |||
| * SHOULD invalidate all access tokens, although it is recognized | * SHOULD invalidate all access tokens, although it is recognized | |||
| that it might not be technically feasible to invalidate access | that it might not be technically feasible to invalidate access | |||
| tokens (see Section 4 below) | tokens (see Section 4 below) | |||
| * MUST NOT issue new access tokens or refresh tokens without re- | * MUST re-authenticate the user before issuing new access tokens or | |||
| authenticating the user | refresh tokens | |||
| 3.4. Revocation Response | 3.4. Revocation Response | |||
| This specification indicates success and error conditions by using | This specification indicates success and error conditions by using | |||
| HTTP response codes, and does not define the response body format or | HTTP response codes, and does not define the response body format or | |||
| content. | content. | |||
| 3.4.1. Successful Response | 3.4.1. Successful Response | |||
| To indicate that the request was successful and revocation of the | To indicate that the request was successful and revocation of the | |||
| skipping to change at page 7, line 28 ¶ | skipping to change at page 7, line 28 ¶ | |||
| authorization decision of the client requesting access to a protected | authorization decision of the client requesting access to a protected | |||
| resource. A system design may, however, instead use access tokens | resource. A system design may, however, instead use access tokens | |||
| that are handles (also known as "reference tokens") referring to | that are handles (also known as "reference tokens") referring to | |||
| authorization data stored at the authorization server. | authorization data stored at the authorization server. | |||
| While these are not the only options, they illustrate the | While these are not the only options, they illustrate the | |||
| implications for revocation. In the latter case of reference tokens, | implications for revocation. In the latter case of reference tokens, | |||
| the authorization server is able to revoke an access token by | the authorization server is able to revoke an access token by | |||
| removing it from storage. In the former case, without storing | removing it from storage. In the former case, without storing | |||
| tokens, it may be impossible to revoke tokens without taking | tokens, it may be impossible to revoke tokens without taking | |||
| additional measures. | additional measures. One such measure is to use | |||
| [I-D.ietf-oauth-status-list] to maintain a distributed and easily- | ||||
| compressed list of token revocation statuses. | ||||
| For this reason, revocation of access tokens is optional in this | For this reason, revocation of access tokens is optional in this | |||
| specification, since it may pose too significant of a burden for | specification, since it may pose too significant of a burden for | |||
| implementers. It is not required to revoke access tokens to be able | implementers. It is not required to revoke access tokens to be able | |||
| to return a success code to the caller. | to return a success code to the caller. | |||
| 5. Authorization Server Metadata | 5. Authorization Server Metadata | |||
| The following authorization server metadata parameters [RFC8414] are | The following authorization server metadata parameters [RFC8414] are | |||
| introduced to signal the server's capability and policy with respect | introduced to signal the server's capability and policy with respect | |||
| skipping to change at page 8, line 4 ¶ | skipping to change at page 7, line 47 ¶ | |||
| 5. Authorization Server Metadata | 5. Authorization Server Metadata | |||
| The following authorization server metadata parameters [RFC8414] are | The following authorization server metadata parameters [RFC8414] are | |||
| introduced to signal the server's capability and policy with respect | introduced to signal the server's capability and policy with respect | |||
| to Global Token Revocation. | to Global Token Revocation. | |||
| "global_token_revocation_endpoint": The URL of the authorization | "global_token_revocation_endpoint": The URL of the authorization | |||
| server's global token revocation endpoint. | server's global token revocation endpoint. | |||
| "global_token_revocation_endpoint_auth_methods_supported": OPTIONAL. | "global_token_revocation_endpoint_auth_methods_supported": OPTIONAL. | |||
| JSON array containing a list of client authentication methods | JSON array containing a list of client authentication methods | |||
| supported by this introspection endpoint. The valid client | supported by this introspection endpoint. The valid client | |||
| authentication method values are those registered in the IANA | authentication method values are those registered in the IANA | |||
| "OAuth Token Endpoint Authentication Methods" registry | "OAuth Token Endpoint Authentication Methods" registry | |||
| [IANA.oauth-parameters] or those registered in the IANA "OAuth | [IANA.oauth-parameters] or those registered in the IANA "OAuth | |||
| Access Token Types" registry [IANA.oauth-parameters]. (These | Access Token Types" registry [IANA.oauth-parameters]. (These | |||
| values are and will remain distinct, due to Section 7.2.) If | values are and will remain distinct, due to Section 7.2.) If | |||
| omitted, the set of supported authentication methods MUST be | omitted, the set of supported authentication methods MUST be | |||
| determined by other means. | determined by other means. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| 6.1. Enumeration of User Accounts | 6.1. Authentication of Revocation Request | |||
| While Section 3.2 requires that the revocation request is an | ||||
| authenticated request, the specifics of the authentication are out of | ||||
| scope of this specification. | ||||
| Since the revocation request ultimately has wide-reaching effects (a | ||||
| user is expected to be logged out of all devices), this presents a | ||||
| new Denial of Service attack vector. As such, the authentication | ||||
| used for this request SHOULD be narrowly scoped to avoid granting | ||||
| unnecessary privileges to the caller. | ||||
| For example, if using OAuth Bearer Tokens, the token SHOULD be issued | ||||
| with a single scope that enables it to perform the revocation | ||||
| request, and no other type of token issued should include this scope. | ||||
| If the authorization server is multi-tenant (supports multiple | ||||
| customers) through different identity providers, each identity | ||||
| provider SHOULD use its own scoped credential that is only authorized | ||||
| to revoke tokens for users within the same tenant. | ||||
| 6.2. Enumeration of User Accounts | ||||
| Typically, an API that accepts a user identifier and returns | Typically, an API that accepts a user identifier and returns | |||
| different statuses depending on whether the user exists would provide | different statuses depending on whether the user exists would provide | |||
| an attack vector allowing enumeration of user accounts. This | an attack vector allowing enumeration of user accounts. This | |||
| specification does require a "User Not Found" response, so would | specification does require a "User Not Found" response, so would | |||
| normally fall under this category. However, requests to the endpoint | normally fall under this category. However, requests to the endpoint | |||
| defined by this specification are required to be authenticated, so | defined by this specification are required to be authenticated, so | |||
| this is not considered a public endpoint. | this is not considered a public endpoint. | |||
| If the tool making the request is compromised, and the attacker can | If the tool making the request is compromised, and the attacker can | |||
| impersonate the requests from this tool (either by coercing the tool | impersonate the requests from this tool (either by coercing the tool | |||
| to make the request, or by extracting the credentials), then the | to make the request, or by extracting the credentials), then the | |||
| attacker would be able to enumerate user accounts. However, since | attacker would be able to enumerate user accounts. However, since | |||
| the request is not just testing the presence of a user account, but | the request is not just testing the presence of a user account, but | |||
| actually revoking the tokens associated with the user if successful, | actually revoking the tokens associated with the user if successful, | |||
| this would likely be easily visible in any audit logs as many users | this would likely be easily visible in any audit logs as many users' | |||
| tokens would be revoked in a short period of time. | tokens would be revoked in a short period of time. | |||
| To mitigate some of the concerns of providing such a powerful API | To mitigate some of the concerns of providing such a powerful API | |||
| endpoint, the users that a particular client can request revocation | endpoint, the users that a particular client can request revocation | |||
| for SHOULD be limited, and the authentication of the request SHOULD | for SHOULD be limited, and the authentication of the request SHOULD | |||
| be used to scope the possible user revocation list to only users | be used to scope the possible user revocation list to only users | |||
| authorized to the client. | authorized to the client as described in Section 6.1. | |||
| For example, a multi-tenant identity provider that uses different | For example, a multi-tenant identity provider that uses different | |||
| signing keys for users assciated with different tenants, can also use | signing keys for users associated with different tenants, can also | |||
| the same signing keys to authenticate revocation requests, such as | use the same signing keys to authenticate revocation requests, such | |||
| creating a JWT to use as client authentication as described in | as creating a JWT to use as client authentication as described in | |||
| [RFC7523]. This enables the authorization server receiving the | [RFC7523]. This enables the authorization server receiving the | |||
| request to only accept revocation requests for users that are | request to only accept revocation requests for users that are | |||
| associated with the particular tenant at the identity provider. | associated with the particular tenant at the identity provider. | |||
| 6.3. Malicious Authorization Server | ||||
| From the point of view of an identity provider that supports | ||||
| integrations with multiple downstream applications, there is an | ||||
| opportunity for a downstream application to maliciously set up a | ||||
| Global Token Revocation endpoint to harvest user identifiers and | ||||
| authentication of the revocation requests. | ||||
| Similarly as described in Section 6.1 above, each integration SHOULD | ||||
| be using separate authentication credentials, and each credential | ||||
| SHOULD be scoped as narrowly as possible, such that a malicious | ||||
| server that receives this authentication cannot replay it anywhere | ||||
| else to perform any actions on other systems. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. OAuth Authorization Server Metadata | 7.1. OAuth Authorization Server Metadata | |||
| IANA has (TBD) registered the following values in the IANA "OAuth | IANA has (TBD) registered the following values in the IANA "OAuth | |||
| Authorization Server Metadata" registry of [IANA.oauth-parameters] | Authorization Server Metadata" registry of [IANA.oauth-parameters] | |||
| established by [RFC8414]. | established by [RFC8414]. | |||
| *Metadata Name*: global_token_revocation_endpoint | *Metadata Name*: global_token_revocation_endpoint | |||
| skipping to change at page 10, line 17 ¶ | skipping to change at page 10, line 44 ¶ | |||
| DOI 10.17487/RFC8414, June 2018, | DOI 10.17487/RFC8414, June 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8414>. | <https://www.rfc-editor.org/rfc/rfc8414>. | |||
| [RFC9493] Backman, A., Ed., Scurtescu, M., and P. Jain, "Subject | [RFC9493] Backman, A., Ed., Scurtescu, M., and P. Jain, "Subject | |||
| Identifiers for Security Event Tokens", RFC 9493, | Identifiers for Security Event Tokens", RFC 9493, | |||
| DOI 10.17487/RFC9493, December 2023, | DOI 10.17487/RFC9493, December 2023, | |||
| <https://www.rfc-editor.org/rfc/rfc9493>. | <https://www.rfc-editor.org/rfc/rfc9493>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-oauth-status-list] | ||||
| Looker, T., Bastian, P., and C. Bormann, "Token Status | ||||
| List", Work in Progress, Internet-Draft, draft-ietf-oauth- | ||||
| status-list-02, 3 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-oauth- | ||||
| status-list-02>. | ||||
| [OpenID] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | [OpenID] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | |||
| C. Mortimore, "OpenID Connect Core 1.0", November 2014, | C. Mortimore, "OpenID Connect Core 1.0", November 2014, | |||
| <https://openid.net/specs/openid-connect-core-1_0.html>. | <https://openid.net/specs/openid-connect-core-1_0.html>. | |||
| [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | |||
| Framework: Bearer Token Usage", RFC 6750, | Framework: Bearer Token Usage", RFC 6750, | |||
| DOI 10.17487/RFC6750, October 2012, | DOI 10.17487/RFC6750, October 2012, | |||
| <https://www.rfc-editor.org/rfc/rfc6750>. | <https://www.rfc-editor.org/rfc/rfc6750>. | |||
| [RFC7009] Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth | [RFC7009] Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth | |||
| skipping to change at page 12, line 21 ¶ | skipping to change at page 13, line 7 ¶ | |||
| The Shared Signals Framework at the OpenID Foundation provides two | The Shared Signals Framework at the OpenID Foundation provides two | |||
| specifications that have functionality related to session and token | specifications that have functionality related to session and token | |||
| revocation. | revocation. | |||
| Continuous Access Evaluation Profile (CAEP) | Continuous Access Evaluation Profile (CAEP) | |||
| (https://openid.net/specs/openid-caep-specification-1_0.html) defines | (https://openid.net/specs/openid-caep-specification-1_0.html) defines | |||
| several event types that can be sent between cooperating parties. In | several event types that can be sent between cooperating parties. In | |||
| particular, the "Session Revoked" event can be sent from an identity | particular, the "Session Revoked" event can be sent from an identity | |||
| provider to an authorization server when the user's session at the | provider to an authorization server when the user's session at the | |||
| identity provider was revoked. The main difference between this and | identity provider was revoked. The main difference between this and | |||
| the Global Token Revocation request is that teh CAEP event is a | the Global Token Revocation request is that the CAEP event is a | |||
| signal that may or may not be acted upon by the receiver, whereas the | signal that may or may not be acted upon by the receiver, whereas the | |||
| Global Token Revocation request is a command that has a defined list | Global Token Revocation request is a command that has a defined list | |||
| of expected outcomes. | of expected outcomes. | |||
| Risk Incident Sharing and Coordination (RISC) | Risk Incident Sharing and Coordination (RISC) | |||
| (https://openid.net/specs/openid-risc-profile-specification-1_0.html) | (https://openid.net/specs/openid-risc-profile-specification-1_0.html) | |||
| defines events that have somewhat stronger defined meanings compared | defines events that have somewhat stronger defined meanings compared | |||
| to CAEP. In particular, the "Account Disabled" event has clear | to CAEP. In particular, the "Account Disabled" event has clear | |||
| meaning and strongly implies that a receiver should also disable the | meaning and strongly implies that a receiver should also disable the | |||
| specified account. However, RISC also has a mechanism for a user to | specified account. However, RISC also has a mechanism for a user to | |||
| skipping to change at page 12, line 45 ¶ | skipping to change at page 13, line 31 ¶ | |||
| Lastly, it is more complex to set up a receiver for CAEP and RISC | Lastly, it is more complex to set up a receiver for CAEP and RISC | |||
| events compared to a receiver for the Global Token Revocation | events compared to a receiver for the Global Token Revocation | |||
| request, so if the receiver is only interested in supporting the | request, so if the receiver is only interested in supporting the | |||
| revocation use cases, it is much simpler to support the single POST | revocation use cases, it is much simpler to support the single POST | |||
| request described in this draft. | request described in this draft. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| (( To be removed from the final specification )) | (( To be removed from the final specification )) | |||
| -03 | ||||
| * Renamed property from subject to sub_id for consistency with JWT | ||||
| claim name defined in RFC9493 | ||||
| * Added reference to draft-ietf-oauth-status-list | ||||
| * Added additional security considerations for authentication of the | ||||
| revocation request and malicious authorization servers | ||||
| -02 | -02 | |||
| * Added security consideration around enumeration of user accounts | * Added security consideration around enumeration of user accounts | |||
| * Added an appendix describing the differences between this and | * Added an appendix describing the differences between this and | |||
| related logout specifications | related logout specifications | |||
| -01 | -01 | |||
| * Clarified revocation expectations | ||||
| * Clarified revocation expectations | ||||
| * Better definition of endpoint | * Better definition of endpoint | |||
| * Added section defining endpoint in Authorization Server Metadata | * Added section defining endpoint in Authorization Server Metadata | |||
| -00 | -00 | |||
| * Initial Draft | * Initial Draft | |||
| Acknowledgments | Acknowledgments | |||
| The authors would like to thank the following people for their | The authors would like to thank the following people for their | |||
| contributions and reviews of this specification: George Fletcher, | contributions and reviews of this specification: Apoorva Deshpande, | |||
| Karl McGuinness, Mike Jones. | George Fletcher, Karl McGuinness, Mike Jones. | |||
| Author's Address | Author's Address | |||
| Aaron Parecki | Aaron Parecki | |||
| Okta | Okta | |||
| Email: aaron@parecki.com | Email: aaron@parecki.com | |||
| URI: https://aaronparecki.com | URI: https://aaronparecki.com | |||
| End of changes. 26 change blocks. | ||||
| 32 lines changed or deleted | 86 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||