IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?

Bill Jung <bjung@pingidentity.com> Wed, 04 March 2020 19:02 UTC

Return-Path: <bjung@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DD53A14DC for <oauth@ietfa.amsl.com>; Wed, 4 Mar 2020 11:02:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_REMOTE_IMAGE=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12S0GS3yjxFB for <oauth@ietfa.amsl.com>; Wed, 4 Mar 2020 11:02:01 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 314A23A14DB for <oauth@ietf.org>; Wed, 4 Mar 2020 11:02:01 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id q19so3239585ljp.9 for <oauth@ietf.org>; Wed, 04 Mar 2020 11:02:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2pCy2sKt+vTsqFocOJcfjEorvxSNQA+hP9mq3LRWTTY=; b=fwibbgN6Ub0t+csyQ4Cz+GbNqQDiEHJ/nh4s9nnG7N/omlyOLJ6AMsGlYSMFXp3myZ R++i99l0KOgUQroeFzVUQYpDe0TNmR5vk2uZcm2QLq1534iw5F1jIUowDeJUmkzWYXmf Et+6GkcprZchTQ0QX4zPugpPbSFmpJ9TrnCLH2nqmvVWD9e7r4KWbwy/XqjZnOZNHSYa WeXePACkyJQhJor433m+7RQrHdEigKA4MgxTdrrICJd+KmQSSWbolFbnSS7IoMAJVqIN 2vHFPSMGOiIBJ3/KHwQJaK0ya4jOeFLo7vWc1EcRKosYhvoJIjPNXHBT72jQYRB8iSoJ Riig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2pCy2sKt+vTsqFocOJcfjEorvxSNQA+hP9mq3LRWTTY=; b=NqeuB3SFWxv2acYRn/mJTVS5+Z1rRXxYwu7CeO3zP576SIHhHh1ZYUhCEtUkt448GE G8ndmjAh3LWT2e+8hAds9NQcoEHthLqYzF4nEA4sHir9AABKJ4bKn2B1Ez51mLche/Dm OiEY1OcuVGVprYJIaobD3ztbKe4+DLEM3Vk2iPYZZJ8twXvksQv8t70T5FP43z968XqM BjuTpnmHTqanB/pAy9fNHrA/NKP3MD7hYT5E43O3mUVoWdEJ0BvBNx0JIVCNf8lY76FI rzMTtNPUhqGMm3U5ZlO4Oti/4yIEtOQ8S5HxIbavn7/JabFIgSSvJjhaTpEqXJ5oJFZU LwiA==
X-Gm-Message-State: ANhLgQ0aJvKfEQnf3b7H6l/HjTpBrwAE2PiEEcwBqta6+vDxRslXLZYB 76plvvbaH77OT84fOK70uhDcAReGJlVCBWGp1KezveslOc8PL86EneqS9tVZeTSMkhBcHgE1vPV T9KFApg1YE2/VEg==
X-Google-Smtp-Source: ADFU+vurCeCYN7Mn3yJQzhirR2RmnA7RZyAMtpkScWKtWbVMiMkpcr4cPyHMLTEq4Z3i7kM8MXyIbuIxRfNRdeJeq48=
X-Received: by 2002:a2e:9d0f:: with SMTP id t15mr2788558lji.171.1583348519075; Wed, 04 Mar 2020 11:01:59 -0800 (PST)
MIME-Version: 1.0
References: <CAErhd0OLTMKxXnT-_X6DyWYUxe==gTXdcHKLjOEDTmXCUZNxrg@mail.gmail.com> <CALkShcuLTd02iu309dCZ8PtnzbKd5b9PsVS_DWUMGWXgFovwMg@mail.gmail.com> <C0C40A3E-2455-4C86-B504-AB18F31975D9@alkaline-solutions.com> <CALkShct=sYSq-HoG=yMiV2BqT8+F=gnej+p2GgFD87FV1OQu3w@mail.gmail.com> <D3D1BFB8-CE54-4E48-A8B9-45E01ED2B637@alkaline-solutions.com>
In-Reply-To: <D3D1BFB8-CE54-4E48-A8B9-45E01ED2B637@alkaline-solutions.com>
From: Bill Jung <bjung@pingidentity.com>
Date: Wed, 04 Mar 2020 11:01:47 -0800
Message-ID: <CAErhd0PkNzFTVgjSS24RzjKZ+sq2Hubhr3j_hmnbtgLuQgOGhQ@mail.gmail.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Cc: Andrii Deinega <andrii.deinega@gmail.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000091c9405a00c0e53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-S3U95XPBXSktr-Bpc7ah1ht8eU>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 19:02:07 -0000

The question started when some RPs (client apps) asked that AS allow
introspection endpoint to RPs so that RPs can check their refresh
token's expiry. If AS allows this, which the spec is not clear about, then
AS needs to know if the request is coming from RP or RS so that AS can
allow the Access Token introspection to RS only. But then is that the right
thing to do even?

Surely some clarification will eliminate the time spent on unnecessary
discussion among developers.

<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Bill Jung
Manager, Response Engineering
bjung@pingidentity.com
w: +1 604.697.7037
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
<https://www.pingidentity.com/en/events/d/identify-2019.html>
<https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf>


On Sun, Mar 1, 2020 at 9:33 PM David Waite <david=
40alkaline-solutions.com@dmarc.ietf.org> wrote:

> On Mar 1, 2020, at 10:11 PM, Andrii Deinega <andrii.deinega@gmail.com>
> wrote:
> >
> > How would the authorization server know who actually uses the
> > introspection endpoint assuming that a protected resource and a client
> > application use the same credentials (client_id and client_secret)?
>
> In the external context, you have a client accessing a protected resource
> with an access token. The client should treat the token as opaque, and
> RFC7662 makes no allowances for that client to introspect its tokens.
>
> If you control both the client and protected resource, you may decide to
> short-cut and have them share credentials. However, the client logic still
> should never be introspecting the tokens.
>
> The security considerations also say that you must prove the
> authentication of the protected resource, which I have interpreted to mean
> that access tokens used to authorize the call to the introspection endpoint
> must be issued to a confidential client - public clients cannot protect
> credentials to perform an authentication. You want to limit introspection
> to prevent denial of service and probing attacks, and to limit the amount
> of information on viable attacks conveyed if someone steals a token.
>
> -DW
>
> >
> > Regards,
> > Andrii
> >
> > On Sun, Mar 1, 2020 at 7:38 PM David Waite <david@alkaline-solutions.com>
> wrote:
> >>
> >> I would expect the AS to invalidate the refresh token in this case,
> which would not require a refresh token mode nor necessarily any signaling
> back to the resource.
> >>
> >> -DW
> >>
> >>> On Mar 1, 2020, at 12:12 AM, Andrii Deinega <andrii.deinega@gmail.com>
> wrote:
> >>>
> >>> Hello Bill,
> >>>
> >>> I'm just thinking out loud about possible scenarios for a protected
> >>> resource here... It may decide to revoke a refresh token if a client
> >>> application tried to use it instead of an access token when the
> >>> protected resource is paranoid about security. In order to do that an
> >>> introspection response should include a non-standard parameter which
> >>> indicates that the requested token is refresh_token.
> >>>
> >>> A user of the introspection endpoint should rely only on a value of
> >>> the active parameter (which is a boolean indicator) of the endpoint
> >>> response. This applies to both types of tokens. Note, the expiration
> >>> date, as well as other parameters, are defined as optional in the
> >>> specification. Both token types can be revoked before the expiration
> >>> date comes even if this parameter is presented as part of the
> >>> response. In my opinion, there are a number of reasons why this check
> >>> (for a refresh token) can be useful on the client application side.
> >>>
> >>> --
> >>> Regards,
> >>> Andrii
> >>>
> >>>
> >>> On Fri, Feb 28, 2020 at 1:59 AM Bill Jung
> >>> <bjung=40pingidentity.com@dmarc.ietf.org> wrote:
> >>>>
> >>>> Hello, hopefully I am using the right email address.
> >>>>
> >>>> Simply put, can this spec be enhanced to clarify "Who can use the
> introspection endpoint for a refresh token? A resource provider or a client
> app or both?"
> >>>>
> >>>> RFC7662 clearly mentions that the user of introspection endpoint is a
> 'protected resource' and that makes sense for an access token. If we allow
> this to client apps, it'll give unnecessary token information to them.
> >>>> However, the spec also mentions that refresh tokens can also be used
> against the endpoint.
> >>>> In case of refresh tokens, user of the endpoint should be a client
> app because refresh tokens are used by clients to get another access token.
> (Cannot imagine how/why a resource server would introspect a refresh token)
> >>>>
> >>>> Is it correct to assume that the endpoint should be allowed to client
> apps if they want to examine refresh token's expiry time? Then the RFC
> should clearly mention it.
> >>>>
> >>>> Thanks in advance.
> >>>>
> >>>> <Details from the spec>
> >>>> In https://tools.ietf.org/html/rfc7662
> >>>> In '1.  Introduction' section says,
> >>>> "This specification defines a protocol that allows authorized
> >>>> protected resources to query the authorization server to determine
> >>>> the set of metadata for a given token that was presented to them by
> >>>> an OAuth 2.0 client."
> >>>> Above makes clear that user of the endpoint is a "protected resource".
> >>>>
> >>>> And under 'token' in '2.1.  Introspection Request' section says,
> >>>> "For refresh tokens,
> >>>> this is the "refresh_token" value returned from the token endpoint
> >>>> as defined in OAuth 2.0 [RFC6749], Section 5.1."
> >>>> So looks like a refresh token is allowed for this endpoint.
> >>>>
> >>>>
> >>>> Bill Jung
> >>>> Manager, Response Engineering
> >>>> bjung@pingidentity.com
> >>>> w: +1 604.697.7037
> >>>> Connect with us:
> >>>>
> >>>> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you._______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email