Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
Emond Papegaaij <emond.papegaaij@gmail.com> Thu, 09 May 2019 08:19 UTC
Return-Path: <emond.papegaaij@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE66712011F for <oauth@ietfa.amsl.com>; Thu, 9 May 2019 01:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRXu6_iy4FTd for <oauth@ietfa.amsl.com>; Thu, 9 May 2019 01:19:44 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF5341202E5 for <oauth@ietf.org>; Thu, 9 May 2019 01:19:42 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id j12so478125eds.7 for <oauth@ietf.org>; Thu, 09 May 2019 01:19:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=9fFlpHHhxRxius/jK2vFnUHEZdMeUhM92cI0YPtJP2Q=; b=DoFlEHojoqKKLIHjmRXrUc9eQbLvVwjeCl2kGt3et00QY9DGyNy+L8tQ5e5VGOU2+H kOTzVtPYyX34AFg0KG9tpXqet/nsnIyRkFK0sw2BadUbxS6jHjn2ULAy7pvIvpuWGPCA +zWs5iVLM/INiAGdc3ebZ91pq/byHFO/smXWu7yf84xweFXHlGNbDo5r+9REE9VsKGCt VQppu1roLhuajdTkjpshHGV/N6rKQn/p05Kc/OAd96AxmJfMA0GfnCm7h+FqCvjoG2VX QdTv9erI1YNorPPqeVGuJJeOjkxvhPvIGHFfUIEcR1w0LWZUjpFV2Tqb5zMBt1wO8oRi fEkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9fFlpHHhxRxius/jK2vFnUHEZdMeUhM92cI0YPtJP2Q=; b=Z/NjuOFI9HeDNSMEArNEVlPuNV1+c2eZvVYt8nCr33SjyOUuqx1kEAKHqZy86PDQAx vyascB+o/GpSEV9/zLQtfBxVaBRZlu0YnLxfhngU7fBlM/DObNF8nGNyrRtJqmw+Zue1 d/uLN+zok1kUofHesbpxWl/kFQqDm5NNQ3uWMLGz2cVaushAbu+aXMjR4MngwbqYITlE nhUaISqYK2SYmLg9KiaYITuQ8wPPDurXZslY9AE94vcwhkXapsgqCidGrDPQPIhuFUH/ qULj6u5qUpsTvHUHbEzedaJqLJlCAFXDRtYvn0kA8kwOlaXNsCUmHex71BOFsW++2ZLn rlfQ==
X-Gm-Message-State: APjAAAX4oE656JR/eDWMIGzLmtZStscHzN6P2bbMAgbKeaNn/86X5GFf kP1qcHuC1/t7bYZU/32Iodnq3whqjpU=
X-Google-Smtp-Source: APXvYqzIAZSVNIejfxzeP9WSbDqXkr/wG1Ib8wVC+C3dSHTVVl4Pn9X51tZW3WrWVb7g0bphfLZ+vg==
X-Received: by 2002:a17:906:3ed1:: with SMTP id d17mr2075661ejj.221.1557389980423; Thu, 09 May 2019 01:19:40 -0700 (PDT)
Received: from papegaaij.localnet ([195.35.227.200]) by smtp.gmail.com with ESMTPSA id dc1sm216862ejb.14.2019.05.09.01.19.39 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 09 May 2019 01:19:39 -0700 (PDT)
From: Emond Papegaaij <emond.papegaaij@gmail.com>
To: oauth@ietf.org
Date: Thu, 09 May 2019 10:19:38 +0200
Message-ID: <1957487.Czm0dUuOv6@papegaaij>
In-Reply-To: <28AF8EF5-9CCF-44EB-B028-1FCFA892ECEB@alkaline-solutions.com>
References: <11125817.AKI43N3Yza@papegaaij> <2125064.3GpWMRz4CO@papegaaij> <28AF8EF5-9CCF-44EB-B028-1FCFA892ECEB@alkaline-solutions.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3qAhPaEZmtwRpluZWbzGPza0Ou0>
Subject: Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2019 08:19:47 -0000
On woensdag 8 mei 2019 22:55:47 CEST David Waite wrote: > > How would you tie a refresh token to a user session on the AS? This would > > depend on the user visiting the AS on a regular basis and using a logout > > button when done. Most people simply close their browser when they're > > done, > > leaving the session open. Also, when making a call to the token endpoint > > to > > refresh the access token, there is no way of knowing that this call is > > actually initiated by the user, because it's done on a back channel. > > Perhaps this can be solved with DPOP with a keypair per browser, but this > > would really complicate the whole solution. > > Yes, there are still no standard solutions for session keep-alive. There’s > also not AFAIK a clear solution by the browsers on how to do an implicit > logout on browser closed, now that browsers may persist sessions cookies. > > I did pitch something about session keep-alive two years ago around this as > part of DTVA (see > https://bitbucket.org/openid/connect/src/f76ffe99c47d4698bc2995c32dc7a402dd > 6e8c47/distributed-token-validity-api.txt > <https://bitbucket.org/openid/connect/src/f76ffe99c47d4698bc2995c32dc7a402d > d6e8c47/distributed-token-validity-api.txt> ), which unfortunately didn’t go > anyplace. For pure API apps participating in a session keep-alive system, a > separate “user activity present” API to periodically poke is probably the > best way to go. For managed devices running enterprise applications, you > can just have a screen lock rather than tracking session activity at all. This spec seems to make it possible to keep an active session. However, it is bound to OIDC, which will not work in our case. Many of the application we are IdP for use SAML. The spec relies on all parties communicating session activity. For now, OIDC session management seems to be the best way to go. > >> Given the choice between an 8 hour access token, or a 10 minute access > >> token and a refresh token that will expire at a maximum of 8 hours, the > >> second provides quite a few more options to be more secure. (eg. > >> checking backing user session and revocation, checking for updates to > >> client blacklist, the rotation of the access token, rotating refresh > >> tokens to prevent use by more than one client, expiring access on > >> inactivity based on lag in refreshing, and so on). > > > > I agree with you on this, but the spec currently states clearly that the > > AS > > should not issue refresh tokens to an SPA. Do you think this should be > > changed to something like: Authorization servers SHOULD NOT issue > > *offline* refresh tokens to browser-based applications. A refresh token > > should be tied to a user session on the AS. > > I would like this language changed as well. It is complex due to so little > existing token lifetime/policy guidance to reference. Previous > conversations went a bit circular IMHO because of a lack of ground rules. I can understand. This also highly depend on your use case. Something that might work for one application might be totally inappropriate for another. Best regards, Emond Papegaaij
- [OAUTH-WG] Recommendations for OAuth 2.0 with Bro… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Thomas Broyer
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij