Re: [OAUTH-WG] OAuth 2.0 for Browser-Based Apps - On the usefulness of refresh token rotation

Vittorio Bertocci <> Sat, 16 May 2020 19:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04B743A0400 for <>; Sat, 16 May 2020 12:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NK5u1_41ukDG for <>; Sat, 16 May 2020 12:16:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C6303A03F7 for <>; Sat, 16 May 2020 12:16:52 -0700 (PDT)
Received: by with SMTP id k7so2549715pjs.5 for <>; Sat, 16 May 2020 12:16:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=Dkhq7m1CYZlpoelqKYbFHpHlDT+kmS7gB8hTo/dhwZU=; b=CshTAOQfOx6SFr6GXt+tsFdxDDiJgnY5JJgJykf2WT0hHF2Ve9+HzRKhOhHC6midJ+ 9VoyYQmsRFj0kYS3A/4El28OIE4w2TsLqPlj3uJEBcE7dlVJbQdr0nSfO7h6MEZvmXO+ 4C6HIbqurjkDYg27ig9eWYG0WJl1VrBhRyW5WeoaD5GqM/Jr5UimBH5rGWWzuHwFHxvk E5ZlMVK6Rj4uKk36TWSmalxCe9qDAK2EFG4yucM+lvICN07qDgJji7LpG3SC6qxXY4Yn nc3pqTqknGhOFJVGaOagBYQZM3zjMYtf12xpkQCCVRpswZxBC6Hzv/ZwxA3iV9X0g3qQ EntA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-transfer-encoding:mime-version; bh=Dkhq7m1CYZlpoelqKYbFHpHlDT+kmS7gB8hTo/dhwZU=; b=nHYn5uSoXPMXeilfTiAYlhKiiIZORpN01UeNrAMFkmAQX+BgvYRbUKztTX411pb9k4 9SEtXtvjz1MzwOAcznNzkRz7/Nb2UAZeNSWtlPAClkO5JQK8FkCtnmuA9+31n0E/uS38 VZe/3MK/1e32velv1+V1S56hBMomADpJbIv5oKeEx9hCiZExrIM0G58C7XPtX60l/RCr 1ke8duYq1Jh23zrX0zLiTdUkxgG4lJOKTT5tHp0UWJ2gOie6BXkUWjUt+aqV1Loqx8Qn U7V0mmVnS+sb1/sr7vt+/QWUfs1Suy2Nr6YjEj6SOAEGJTAA8eiEHwPgsUP9qyqo8CZO RJWg==
X-Gm-Message-State: AOAM533pqYYkp4cki3jdc6kBOI+GbBOq/HU2HchSD1Qk/TQjUWB1EEX0 RO4I+PLD5nbPEP+2pzC+ww+N/WgKJcU=
X-Google-Smtp-Source: ABdhPJwF7jjSjmeGLIezHN955ZiN2/ODKu1U2GiVfWvmPJkKMGzaysqfDxAUa7JpyjO1ng0dGKCzYA==
X-Received: by 2002:a17:90a:248c:: with SMTP id i12mr6993896pje.213.1589656611402; Sat, 16 May 2020 12:16:51 -0700 (PDT)
Received: from ([2603:1036:120:1d::5]) by with ESMTPSA id d20sm4473015pgl.72.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 16 May 2020 12:16:50 -0700 (PDT)
From: Vittorio Bertocci <>
To: Torsten Lodderstedt <>, Philippe De Ryck <>
CC: oauth <>
Thread-Topic: [OAUTH-WG] OAuth 2.0 for Browser-Based Apps - On the usefulness of refresh token rotation
Thread-Index: ATNCNDQyTv4ZmcxvTFygbG77L6x+sEZDMzQ3w6DrFa4=
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sat, 16 May 2020 19:16:48 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth 2.0 for Browser-Based Apps - On the usefulness of refresh token rotation
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 May 2020 19:16:54 -0000

> logout at the authorization server

One important detail here is that if the refresh token has been obtained by including the scope "offline_access", then its lifetime should not be tied to the lifetime of the session (see, hence revoking it on logout would be violating the contract thru which it has been obtained. Think classic scheduled tweets scenarios, a web app tweeting on my behalf at a given time should retain the ability to get tokens for calling the twitter API regardless of whether I am signed in the web app at the moment of the call.
For many platforms, requesting"'offline_access" is the only way of obtaining a refresh token- hence this point is important as it has wide impact in popular platforms.
That's also why there was a proposal to introduce an "online_access" scope to make this difference explicit, but I haven't followed that effort in a while.

On 5/16/20, 10:50, "OAuth on behalf of Torsten Lodderstedt" < on behalf of> wrote:

    Hi Philippe, 
    > On 16. May 2020, at 17:08, Philippe De Ryck <> wrote:
    > Hi all,
    > I am working on formulating developer guidelines on using Refresh Token Rotation (RTR), as required by "OAuth 2.0 for Browser-Based Apps". 
    > The protection offered by RTR kicks in the moment a refresh token is used twice, so the assumption is that the attacker has the ability to steal tokens from the client. In general, this means the attacker has malicious code running in the application (e.g., XSS, remote JS inclusion, ...). 
    > Within these constraints, I can think of a couple of malicious payloads that sidestep the protection offered by RTR:
    > 1. Stealing access tokens in an online XSS attack
    > 2. Stealing refresh tokens, but waiting to use the latest until the original client is no longer active
    > 3. Running a silent authentication flow in an iframe to obtain a new and unrelated AT and RT, and use that until it expires
    > Scenario 1 is straightforward in most applications, but the attack requires the vulnerable application to remain online. Scenario 2 might be difficult if the RT is kept out of reach from the main application (e.g. in a worker thread). Scenario 3 is most dangerous, but also a bit tricky to implement as the payload needs to make sure the application's code does not interfere (however, the browser's Same-Origin Policy will not intervene). The specifics depend on the concrete implementation, but all three attacks are technically feasible.
    > With these attacks in mind, it seems that the use of the Authorization Code flow with RTR does not really add much improvement for security, if other best practices are followed (e.g., using HTTPS). RTR does a lot for usability and handling third-party cookie blocking scenarios though.
    I also see this as the main advantage of RTs.
    I think scenario 3 can be made more difficult for the attacker by requiring user interaction. That’s ok since the normal case would be to refresh via RT and not via authorization flow, so the legit app shouldn’t be affected. 
    > In this context, my advice to developers is to avoid handling tokens in the browser in security-sensitive scenarios. A Backend-for-frontend pattern gives a server-side component control over tokens, along with the ability to implement additional security measures.
    I full agree with those advice. Handling security sensitive aspects of the app out of reach of the user (which might be an attacker) is a good idea. On the functional side, this also gives the app access to authentication and sender constrained access tokens via mTLS.
    > Additionally, is there any official recommendation to link the validity of a refresh token to the lifetime of the user's session with the Authorization Server? Having that property gives RTR similar security properties as the silent renew scenario. 
    Section 4.12.2. of the Security BCP recommends refresh token revocation in case of logout. 
    best regards,
    > Any feedback on this train of thought is more than welcome.
    > Philippe
    > _______________________________________________
    > OAuth mailing list
    OAuth mailing list