IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh tokens

David Waite <david@alkaline-solutions.com> Tue, 09 July 2019 06:08 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F811202F8 for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2019 23:08:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxdC_f-s_-qW for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2019 23:08:28 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 262771202E2 for <oauth@ietf.org>; Mon, 8 Jul 2019 23:08:28 -0700 (PDT)
Received: from [192.168.1.125] (c-98-246-106-124.hsd1.or.comcast.net [98.246.106.124]) by alkaline-solutions.com (Postfix) with ESMTPSA id 9A491315AB; Tue, 9 Jul 2019 06:08:25 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <C6A360A9-CE5F-4BE4-943E-9AC22B578BC6@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8DE82827-D6A5-48C0-AF63-B70134015589"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3564\))
Date: Mon, 08 Jul 2019 23:08:24 -0700
In-Reply-To: <CAGBSGjrVZb_nSm85553GhWAK0GQBCAsQX4M8GoSn+e7hADcwyw@mail.gmail.com>
Cc: Leo Tohill <leotohill@gmail.com>, OAuth WG <oauth@ietf.org>
To: Aaron Parecki <aaron@parecki.com>
References: <CABw+FcsH3CHmFphz5DD6aDeEqKLxbQhY14kdrXCVY0WXQN6PuQ@mail.gmail.com> <AEC7268A-D22D-41DA-8609-E7D2DD3B290C@alkaline-solutions.com> <CAGBSGjrVZb_nSm85553GhWAK0GQBCAsQX4M8GoSn+e7hADcwyw@mail.gmail.com>
X-Mailer: Apple Mail (2.3564)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3dvuOR89xK-aGNYJHSs7RBMErgU>
Subject: Re: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 06:08:30 -0000


> On Jul 8, 2019, at 8:39 PM, Aaron Parecki <aaron@parecki.com> wrote:
> 
> These are all very good points! I think the challenge here is figuring out where this kind of guidance is most appropriate.
> 
> It does seem like some of these issues are unique to a browser environment (particularly where the browser itself is managing the access and refresh tokens), so maybe it makes the most sense to include this guidance in the browser based app BCP?

Yes, the location is a challenge - the “offline” distinction is defined (arguably under-defined) by OpenID Connect. OAuth (on the other hand) does not take a stand on user authentication sessions, since the tokens are for delegated access.

For confidential clients, both online and offline options make sense. For native apps, the push is usually for long-term access or for a session separate from the external user agent. But for browser apps, you typically want to mirror user authentication.
 
> If there are situations in which this advice is applicable in other scenarios in addition to browser apps, then I think it would make more sense to include it in the general OAuth security BCP.
> 
> The Security BCP already has some language around refresh tokens, but I haven't reviewed it in a while to see if all of these points might be already covered there.
> 
> If folks think the Browser BCP is the best place for this kind of thing I am definitely open to it, and I can work with David on the specific language to add.
> 
> - Aaron

-DW

v2.23.0 | Report a Bug | By Email