Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
Judith Kahrer <judith.kahrer@curity.io> Tue, 20 February 2024 09:16 UTC
Return-Path: <judith.kahrer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33279C14F616 for <oauth@ietfa.amsl.com>; Tue, 20 Feb 2024 01:16:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGeJeNFgHrs3 for <oauth@ietfa.amsl.com>; Tue, 20 Feb 2024 01:15:55 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9042BC14F603 for <oauth@ietf.org>; Tue, 20 Feb 2024 01:15:55 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2d22d0f8ad1so30966331fa.2 for <oauth@ietf.org>; Tue, 20 Feb 2024 01:15:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity.io; s=google; t=1708420553; x=1709025353; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=zUUgHJO1r/jMb5NwFGVy8eygSS71SU5rvU3nbSNQJvY=; b=Ojsdp8u8DVNpGEWb+8/bT2khHgyJYnv13o8LGcgXFYC7ayq6+XhXZx2KqLbTkphIsj hJFt4vtb4+M0aHcaNbCH8uf4ziFxzKJlio43+6DupPLrUoMD2StG0EFGG8QP+M+JFlnF YfZRL/Tw1MeAlD8PxIZG2tfUjgBR/QJCvj1EMh09UlUSDiBDx0AxO36kysmKNPtmyyYy LPc2YIp7YuGS4OEOOPN81WQ8jEphFNPmxd+hUcblMIrOduq3in78ON5mb+vHG+9U9olr dnud5L3C6dp+grR5rilbpfzX+fYXl4JsMfjjGS6NiRNQ9iZTdg+qWTH1eA6vPNTn40bG XlFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708420553; x=1709025353; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zUUgHJO1r/jMb5NwFGVy8eygSS71SU5rvU3nbSNQJvY=; b=gmHVh1lGCGANWsJoN65tBrXb0g5df8kTxtZlvVb6VDAXrclktDh4wSBWJMCHUGbiOB Xx4MAULFmNf/w8wSCU1UO0Sw2UY3znF706G1ErySSPMUoGS7KMghiIpwajGza4XxrKIV g7czK26DQ3YzdcJh/aTz7wuIQjSy/srk5MYi6sgEoG0e0QBClGRMd0ulkSL8FfmHXLYQ 5bnW1FbryAnp3bpSn3O7Cauoj5lkgdhTikUL8o/10zn5zYiYF2/wKilzrZDFneYMavzK gty9P6/r0xv9IsL/YjiCXXSG99McJ5ZFPJBjktK8EQla3H6SMisLvpZpNVkl5ivXq2ik 7jsw==
X-Gm-Message-State: AOJu0YxH10ZJrXqf2APepyQvecC8FDlNcDdsDSzPTqRvp7jRFJhEM47c HSI5LsuQv2oX165fuvzHJZpUt7DL6bvl5dO4cPVbiaDdBCI4PRYCYNhl88fSgBU=
X-Google-Smtp-Source: AGHT+IF0NLXOrAwRlYGD+JKg/dMlPpgDC1iaSDz1HuwAmKaMtiyCH80LxZU6HKNmLLZp+ZC/dK9G/w==
X-Received: by 2002:a2e:a9a0:0:b0:2d2:3b72:4c17 with SMTP id x32-20020a2ea9a0000000b002d23b724c17mr3456283ljq.3.1708420553045; Tue, 20 Feb 2024 01:15:53 -0800 (PST)
Received: from smtpclient.apple (h-82-196-111-212.NA.cust.bahnhof.se. [82.196.111.212]) by smtp.gmail.com with ESMTPSA id a11-20020a2e980b000000b002d0f905ddf9sm1428265ljj.18.2024.02.20.01.15.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Feb 2024 01:15:52 -0800 (PST)
From: Judith Kahrer <judith.kahrer@curity.io>
Message-Id: <ABC088D5-9766-40FB-8692-3DC4000A1343@curity.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1527954C-A6B9-473B-BF2B-95EA67F8E739"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
Date: Tue, 20 Feb 2024 10:15:41 +0100
In-Reply-To: <CAD=XBCrMkpjuqwYOjZ4TfBqQu2ik6HNSA4zCizZB+rCMyJHpWA@mail.gmail.com>
Cc: oauth@ietf.org
To: Sachin Mamoru <sachinmamoru@gmail.com>
References: <CAD=XBCrMkpjuqwYOjZ4TfBqQu2ik6HNSA4zCizZB+rCMyJHpWA@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.200.91.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2Pr3MKfONyaRzhwEeTWk0w03uJY>
Subject: Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 09:16:00 -0000
Hi Sachin, When the authorization server returns a new refresh token as part of refreshing an access token, then the new refresh token MUST have the same scope as the original “old” refresh token (independent from the value of the scope request parameter, e.g. it does not matter whether the client requested narrow scopes for the access token or not). The refresh token represents the “authorization granted to the client by the resource owner” (see section 1.5 of RFC 6749). This grant does not change just because the client refreshes a new access token (which is a flow that does not even include the resource owner). Consequently, section 6 in RFC 6749 states: If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. In other words, the current behaviour is not compliant with the specs because it changes the scope of the refresh token. The behaviour is correct in the sense that the client cannot request more scopes than the refresh token allows for. The fix is not to allow privilege escalation by enabling a client to request an “access token with original scope list” which is not part of the refresh token (anymore). Instead, maintain the original scope list in the new refresh token. Best regards, Judith Kahrer E: judith.kahrer@curity.io W: curity.io > On 20 Feb 2024, at 07:35, Sachin Mamoru <sachinmamoru@gmail.com> wrote: > > Hi All, > > When we request an access token using 3 scopes (scope1, scope2, scope3). > Then will receive a refresh token (refresh_token1) with the access token. > > After that will request another access token with refresh_token1 and provide the scope list as scope1 and scope2 (Narrow down scopes). > Similarly, get another refresh token (refresh_token2) with the access token. > > Now if we request another access token with refresh_token2, we cannot request scope3, instead, we can either request both scope1 and scope2 or one of them. > > But in the specification, didn't able to find anything related to narrow-down scopes with refresh token. > > From Spec > > 1.5. Refresh Token - Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). > > 6. Refreshing an Access Token > The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. > > https://datatracker.ietf.org/doc/html/rfc6749 > > IMO, from a security aspect, the current behaviour is much more secure because it is designed to maintain the principle of least privilege, where it updates the refresh token authorised scopes based on the requested ones. > > What should be the correct behaviour? > narrow-down scope refresh token should also be able to request access token with original scope list? > > Your input is highly valuable on this. > > Thanks & Regards, > Sachin > -- > > > Sachin Mamoru > Software Engineer, WSO2 > +94771292681 <tel:+94771292681> > | sachinmamoru.me <https://sachinmamoru.me/> > sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> > <https://www.linkedin.com/in/sachin-mamoru/> <https://twitter.com/MamoruSachin> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Evaluation of Scope Management in Refr… Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Judith Kahrer