IETF Logo Mail Archive

Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior

Neil Madden <neil.e.madden@gmail.com> Tue, 20 February 2024 16:29 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E2C0C151065 for <oauth@ietfa.amsl.com>; Tue, 20 Feb 2024 08:29:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.192
X-Spam-Level:
X-Spam-Status: No, score=-5.192 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJBYqKldz3-t for <oauth@ietfa.amsl.com>; Tue, 20 Feb 2024 08:29:40 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0672EC14F71D for <oauth@ietf.org>; Tue, 20 Feb 2024 08:29:39 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2d236ae4f45so5966301fa.0 for <oauth@ietf.org>; Tue, 20 Feb 2024 08:29:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708446577; x=1709051377; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=N0Q5GKGw9dTjcX4hDMbH6/xc3pggvzvVo82Y616uyg0=; b=J9ov7ToyttfN7imk9bT98R9A4gwDuCZIE55EINlptVHaBgVMr16afk/+gtfYD2WQ4I 3TqF2bf9+tLXSafWbCPWunZmTDHkeclto7LntibfQ0mk5Ou0bHmIz+tbKOpBnX7Et95C W/ACZTkpiRafJRm4ssLgvpvoiuy/blqhkWrjIWTc7fBqcD0HGSwpxdmPY1OpCihmQLj+ onUwBKqu6nHG4CBu8/XzwaLzpKugkgk1UOOu+G+WEl0WmMnK8WNwmnz9pmELELkl2Au8 faMFQKdIRDb85wBLJ4Y1VfBTUaFMB60lAFlotHhWKwRiO+yseCjYo69tyEkOixnkVt5Y jJ7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708446577; x=1709051377; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N0Q5GKGw9dTjcX4hDMbH6/xc3pggvzvVo82Y616uyg0=; b=BnXsNe8GS9KO5rEmsMiZtJAPzbw+aBfk7/+5ec06IGLt6ktXXauFkfuyi/DDLLzTo5 FrNvot+n+WeoQpeEEtCiDDfZXYHZYEcUNS15sT1vEXyruXgRZR/zj0OOmz5EALaJdRam DEiZRZTCXrIotfZMhJr0WnXInG+0Ehn88gYi4kVhnhciAjtEGzTRbqAgFlEwCvRBJEtH 1aJwsXmSHXD7CjK13IjFIi8XbQJF7XCllCPHLiGPckdfKjQlMsdqmDWzZKfBgQMVjUTq oTgBDqsb0aWso5aYW9wkBnYCnLiupH/of9IuQ6byLu4HXxXs0Baow2chd40A77JUNAgO c0wQ==
X-Gm-Message-State: AOJu0Yy5LD3MczLiio/rD/NiPt9CwLJsgxIWAuv0zmENGFIsfe9gKqlj /gJCfqgEWzuBElhV3ERZDG2oNcbaqA2J7JMaNWTPNtgnxFR4/46xzHEZOHbL
X-Google-Smtp-Source: AGHT+IGcDycjGVvsGgYAsjg9lqpDNOicxZ/jQoT6yVoylm6KWyPk9IwSPA4jhEZ9XyyFOxvKGUJ6XQ==
X-Received: by 2002:a2e:9787:0:b0:2d2:3d37:c9e1 with SMTP id y7-20020a2e9787000000b002d23d37c9e1mr3528051lji.4.1708446577139; Tue, 20 Feb 2024 08:29:37 -0800 (PST)
Received: from smtpclient.apple ([2a00:23ee:10f0:1119:65bd:b6ce:91f:c6e4]) by smtp.gmail.com with ESMTPSA id p10-20020a2e9aca000000b002d0dec71acfsm1532111ljj.132.2024.02.20.08.29.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Feb 2024 08:29:36 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-2328CCD6-8EE9-4BD8-9F77-FB1D852BFD1C"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 20 Feb 2024 16:29:25 +0000
Message-Id: <374ADB2C-2F74-4B95-8CDA-3266089CD00C@gmail.com>
References: <CAD=XBCog_o8GzpDMTYKvvi=2mneM0nW0vfCc=FubtOFNF5WM=A@mail.gmail.com>
Cc: oauth@ietf.org, janak@wso2.com, thilinasenarath97@gmail.com
In-Reply-To: <CAD=XBCog_o8GzpDMTYKvvi=2mneM0nW0vfCc=FubtOFNF5WM=A@mail.gmail.com>
To: Sachin Mamoru <sachinmamoru@gmail.com>
X-Mailer: iPhone Mail (21C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2q8FgLOCc13iY-909isxlE1W-Hw>
Subject: Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 16:29:44 -0000



On 20 Feb 2024, at 11:02, Sachin Mamoru <sachinmamoru@gmail.com> wrote:


Hi Neil,

Does that mean it should be identical to the narrowed scope request or the original request scope?

It says it has to be identical to the scope of the existing refresh token in the request, not the scope specified in the request. So effectively you can never downscope a refresh token in this way. Whatever scope you specify, any RT returned must always retain the original scope. 

(There are other ways to downscope a RT, eg ForgeRock’s macaroons allow you to attenuate the scope if you wish). 

— Neil


On Tue, 20 Feb 2024 at 16:31, Sachin Mamoru <sachinmamoru@gmail.com> wrote:


On Tue, 20 Feb 2024 at 12:23, Neil Madden <neil.e.madden@gmail.com> wrote:

On 20 Feb 2024, at 06:44, Sachin Mamoru <sachinmamoru@gmail.com> wrote:


Hi All,

When we request an access token using 3 scopes (scope1, scope2, scope3).

Then will receive a refresh token (refresh_token1) with the access token.


After that will request another access token with refresh_token1 and provide the scope list as scope1 and scope2 (Narrow down scopes).

Similarly, get another refresh token (refresh_token2) with the access token.


Now if we request another access token with refresh_token2, we cannot request scope3, instead, we can either request both scope1 and scope2 or one of them.


But in the specification, didn't able to find anything related to narrow-down scopes with refresh token.


From Spec


1.5.  Refresh Token - Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).


6.  Refreshing an Access Token

The scope of the access request as described by Section 3.3.  The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.


https://datatracker.ietf.org/doc/html/rfc6749" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc6749


IMO, from a security aspect, the current behaviour is much more secure because it is designed to maintain the principle of least privilege, where it updates the refresh token authorised scopes based on the requested ones.


What should be the correct behaviour?
narrow-down scope refresh token should also be able to request access token with original scope list?


Also from section 6:

If a
   new refresh token is issued, the refresh token scope MUST be
   identical to that of the refresh token included by the client in the
   request.




— Neil


--
https://d36urhup7zbd7q.cloudfront.net/29e6c216-f94e-4bc3-8205-f3ea762db0d5/profile.format_png.resize_200x.jpeg" height="auto" width="65">
 
Sachin Mamoru
Software Engineer, WSO2
+94771292681
| https://sachinmamoru.me" target="_blank" rel="nofollow"> sachinmamoru.me 
sachinmamoru@gmail.com 
https://www.linkedin.com/in/sachin-mamoru/" target="_blank" rel="nofollow">https://cdn.gifo.wisestamp.com/s/ld/0077b5/50/0/background.png" border="0">https://twitter.com/MamoruSachin" target="_blank" rel="nofollow">https://cdn.gifo.wisestamp.com/s/tw/55acee/50/0/background.png" border="0">

https://tracy.srv.wisestamp.com/px/5434123278745600.png" alt="">


--
https://d36urhup7zbd7q.cloudfront.net/29e6c216-f94e-4bc3-8205-f3ea762db0d5/profile.format_png.resize_200x.jpeg" height="auto" width="65">
 
Sachin Mamoru
Software Engineer, WSO2
+94771292681
| https://sachinmamoru.me" target="_blank" rel="nofollow"> sachinmamoru.me 
sachinmamoru@gmail.com 
https://www.linkedin.com/in/sachin-mamoru/" target="_blank" rel="nofollow">https://cdn.gifo.wisestamp.com/s/ld/0077b5/50/0/background.png" border="0">https://twitter.com/MamoruSachin" target="_blank" rel="nofollow">https://cdn.gifo.wisestamp.com/s/tw/55acee/50/0/background.png" border="0">

https://tracy.srv.wisestamp.com/px/5434123278745600.png" alt="">

v2.23.0 | Report a Bug | By Email