Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
Kai Lehmann <kai.lehmann@1und1.de> Wed, 21 February 2024 09:32 UTC
Return-Path: <kai.lehmann@1und1.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4ECC14F70F for <oauth@ietfa.amsl.com>; Wed, 21 Feb 2024 01:32:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3NelHseKVHv for <oauth@ietfa.amsl.com>; Wed, 21 Feb 2024 01:32:39 -0800 (PST)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D31FC14F5E3 for <oauth@ietf.org>; Wed, 21 Feb 2024 01:32:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:CC:To:From:sender:reply-to; bh=l7N5Le4E01jfLNvITBwWhg6zMI7k5yKIl3gBly8/fas=; b=dbDhul8Yp2qJX+Yw8OOni7zSh qkYCK0zvb0MoIlGZ1g+m9Daey1qx5vaPQZYtbki/uAL6xEmDP6K6UUkhrlvQFOxB295zXH7NQvNsr 65WhXg4h1QeUEjuGGRqUENL7Ahi4YY9avPvWCEbTzFbRmg4X7AMFdAWEsZBajgRDY+UKkRFMaeaeI ni4+nm3hIGI9uU0wYejUX0iiExdAc9BhEmKjC7w76Q1KIthi6W2tAB7TeP51sH6f4RH5bIsLWzT81 Y1uzjhNUMrnhNWoVPP1Y42xhYF/w+T5pfroMt49QYKFBmzIP27CDUxDNDxevEL1BbBknyZenG+GCy BJDOyk7+w==;
Received: from [10.98.28.6] (helo=KAPPEX021.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <kai.lehmann@1und1.de>) id 1rcixw-0000mh-2d; Wed, 21 Feb 2024 10:32:36 +0100
From: Kai Lehmann <kai.lehmann@1und1.de>
To: Sachin Mamoru <sachinmamoru@gmail.com>, Neil Madden <neil.e.madden@gmail.com>, "wparad@rhosys.ch" <wparad@rhosys.ch>
CC: oauth <oauth@ietf.org>, "janak@wso2.com" <janak@wso2.com>, "thilinasenarath97@gmail.com" <thilinasenarath97@gmail.com>, "piraveena@wso2.com" <piraveena@wso2.com>
Thread-Topic: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
Thread-Index: AQHaY8hLnJyB/1TWxUiQuBG5NDYzdrESurIAgABFKQCAAABLgIAAW3SAgAAxfoCAAARvgIAAz/mAgAAE8QCAACPLgA==
Date: Wed, 21 Feb 2024 09:32:35 +0000
Message-ID: <F1199734-9384-497B-99E6-E0F979428D63@1und1.de>
References: <CAD=XBCog_o8GzpDMTYKvvi=2mneM0nW0vfCc=FubtOFNF5WM=A@mail.gmail.com> <374ADB2C-2F74-4B95-8CDA-3266089CD00C@gmail.com> <CAD=XBCqs-Qf7P--KvqQcJq37Agh3gn-bfwfj7tZvwdngx+4k+A@mail.gmail.com> <13C59DD4-94E0-47AC-9A7E-D7B463BD1552@gmail.com> <CAD=XBCpgLZObed8Kj2ST6engpFR47psFrrbNKw5rwaN=_E25qA@mail.gmail.com> <CAD=XBCrkFr3L2AyXtKRPSAmHg9khQctENZ-2+oR1af7JBbcJ-g@mail.gmail.com>
In-Reply-To: <CAD=XBCrkFr3L2AyXtKRPSAmHg9khQctENZ-2+oR1af7JBbcJ-g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.82.24021813
x-originating-ip: [10.98.28.55]
Content-Type: multipart/alternative; boundary="_000_F11997349384497B99E6E0F979428D631und1de_"
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4MVJaV2_34u9rn7t_o-xzAUfIl8>
Subject: Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 09:32:44 -0000
Hi Sachin, you can find this information in section 6: https://www.rfc-editor.org/rfc/rfc6749#section-6 “If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.” Best regards, Kai From: OAuth <oauth-bounces@ietf.org> on behalf of Sachin Mamoru <sachinmamoru@gmail.com> Date: Wednesday, 21. February 2024 at 09:26 To: Neil Madden <neil.e.madden@gmail.com>, "wparad@rhosys.ch" <wparad@rhosys.ch> Cc: oauth <oauth@ietf.org>, "janak@wso2.com" <janak@wso2.com>, "thilinasenarath97@gmail.com" <thilinasenarath97@gmail.com>, "piraveena@wso2.com" <piraveena@wso2.com> Subject: Re: [OAUTH-WG] Evaluation of Scope Management in Refresh Token Behavior Hi Warren and Neil, My basis for asking this is due to the following definition [1], Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token (i.e., step (D) in Figure 1). [1] https://datatracker.ietf.org/doc/html/rfc6749#section-1.5 Thanks & Regards, Sachin On Wed, 21 Feb 2024 at 13:36, Sachin Mamoru <sachinmamoru@gmail.com<mailto:sachinmamoru@gmail.com>> wrote: Hi Warren and Neil, Thanks for the valuable input and sorry for mentioning other products, I just wanted to provide an example. So Warren according to you following is the behaviour that spec suggested. When we request an access token using 3 scopes (scope1, scope2, scope3). Then will receive a refresh token (refresh_token1) with the access token. After that will request another access token with refresh_token1 and provide the scope list as scope1 and scope2 (Narrow down scopes). Similarly, get another refresh token (refresh_token2) with the access token. Now if we request another access token with refresh_token2, we should be able to request scope3 also. That means the refresh token will not be narrowed down instead only the access token will get narrowed down. So Warren and Neil, if possible can you pinpoint to me the exact place in the spec where it does explicitly say that the refresh token should not be narrowed down based on the given scopes? Thanks & Regards, Sachin On Wed, 21 Feb 2024 at 01:12, Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>> wrote: It sounds like they are violating the spec then. On the other hand, the fact that the scope can be "increased back to the original scope" maybe suggests the effective scope of the refresh token is still the same? Either way, the spec is pretty clear, regardless of what some vendor does. -- Neil On 20 Feb 2024, at 19:26, Sachin Mamoru <sachinmamoru@gmail.com<mailto:sachinmamoru@gmail.com>> wrote: Hi Neil, Thanks for the clarification. But Curity has a different approach and they implemented it according to the concept of narrowing down the refresh token scopes. "The scope was originally read openid profile and after refresh the access was reduced to read profile (i.e., the access_token now only has read profile scope and any new tokens obtained using the refresh token daa38700-ba96-4ef1-8b30-5cb3527aae19 will have the same, reduced scope). Note that increasing the scope of access cannot be done in this way unless first reduced and increased back to the original scope." [1] https://curity.io/resources/learn/refresh-tokens/#changing-scope-of-access-token-on-refresh Thanks & Regards, Sachin On Tue, 20 Feb 2024 at 21:59, Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>> wrote: On 20 Feb 2024, at 11:02, Sachin Mamoru <sachinmamoru@gmail.com<mailto:sachinmamoru@gmail.com>> wrote: Hi Neil, Does that mean it should be identical to the narrowed scope request or the original request scope? It says it has to be identical to the scope of the existing refresh token in the request, not the scope specified in the request. So effectively you can never downscope a refresh token in this way. Whatever scope you specify, any RT returned must always retain the original scope. (There are other ways to downscope a RT, eg ForgeRock’s macaroons allow you to attenuate the scope if you wish). — Neil On Tue, 20 Feb 2024 at 16:31, Sachin Mamoru <sachinmamoru@gmail.com<mailto:sachinmamoru@gmail.com>> wrote: On Tue, 20 Feb 2024 at 12:23, Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>> wrote: On 20 Feb 2024, at 06:44, Sachin Mamoru <sachinmamoru@gmail.com<mailto:sachinmamoru@gmail.com>> wrote: Hi All, When we request an access token using 3 scopes (scope1, scope2, scope3). Then will receive a refresh token (refresh_token1) with the access token. After that will request another access token with refresh_token1 and provide the scope list as scope1 and scope2 (Narrow down scopes). Similarly, get another refresh token (refresh_token2) with the access token. Now if we request another access token with refresh_token2, we cannot request scope3, instead, we can either request both scope1 and scope2 or one of them. But in the specification, didn't able to find anything related to narrow-down scopes with refresh token. From Spec 1.5. Refresh Token - Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). 6. Refreshing an Access Token The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. https://datatracker.ietf.org/doc/html/rfc6749 IMO, from a security aspect, the current behaviour is much more secure because it is designed to maintain the principle of least privilege, where it updates the refresh token authorised scopes based on the requested ones. What should be the correct behaviour? narrow-down scope refresh token should also be able to request access token with original scope list? Also from section 6: If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. — Neil -- [Image removed by sender.] Sachin Mamoru Software Engineer, WSO2 +94771292681<tel:+94771292681> | sachinmamoru.me <https://sachinmamoru.me/> sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> [Image removed by sender.]<https://www.linkedin.com/in/sachin-mamoru/> [Image removed by sender.]<https://twitter.com/MamoruSachin> [Image removed by sender.] -- [Image removed by sender.] Sachin Mamoru Software Engineer, WSO2 +94771292681<tel:+94771292681> | sachinmamoru.me <https://sachinmamoru.me/> sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> [Image removed by sender.]<https://www.linkedin.com/in/sachin-mamoru/> [Image removed by sender.]<https://twitter.com/MamoruSachin> [Image removed by sender.] -- [Image removed by sender.] Sachin Mamoru Software Engineer, WSO2 +94771292681<tel:+94771292681> | sachinmamoru.me <https://sachinmamoru.me/> sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> [Image removed by sender.]<https://www.linkedin.com/in/sachin-mamoru/> [Image removed by sender.]<https://twitter.com/MamoruSachin> [Image removed by sender.] -- [Image removed by sender.] Sachin Mamoru Software Engineer, WSO2 +94771292681<tel:+94771292681> | sachinmamoru.me <https://sachinmamoru.me> sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> [Image removed by sender.]<https://www.linkedin.com/in/sachin-mamoru/> [Image removed by sender.]<https://twitter.com/MamoruSachin> [Image removed by sender.] -- [Image removed by sender.] Sachin Mamoru Software Engineer, WSO2 +94771292681<tel:+94771292681> | sachinmamoru.me <https://sachinmamoru.me> sachinmamoru@gmail.com <mailto:sachinmamoru@gmail.com> [Image removed by sender.]<https://www.linkedin.com/in/sachin-mamoru/> [Image removed by sender.]<https://twitter.com/MamoruSachin> [Image removed by sender.]
- Re: [OAUTH-WG] Evaluation of Scope Management in … Neil Madden
- [OAUTH-WG] Evaluation of Scope Management in Refr… Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Neil Madden
- Re: [OAUTH-WG] Evaluation of Scope Management in … Warren Parad
- Re: [OAUTH-WG] Evaluation of Scope Management in … Neil Madden
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Neil Madden
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Neil Madden
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Kai Lehmann
- Re: [OAUTH-WG] Evaluation of Scope Management in … Warren Parad
- Re: [OAUTH-WG] Evaluation of Scope Management in … Sachin Mamoru
- Re: [OAUTH-WG] Evaluation of Scope Management in … Judith Kahrer