Re: [OAUTH-WG] PKCE and refresh tokens
Ron Alleva <ronallevatech@gmail.com> Fri, 28 February 2020 16:08 UTC
Return-Path: <ronallevatech@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC353A1A8E for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 08:08:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1u-ws9She6i for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 08:08:23 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 803863A1A78 for <oauth@ietf.org>; Fri, 28 Feb 2020 08:08:23 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id p14so3889325edy.13 for <oauth@ietf.org>; Fri, 28 Feb 2020 08:08:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :content-transfer-encoding; bh=dx7a5PGQbjSnp0oY/lgvx1GAmmfq06oX4j1bFloXpYY=; b=PpC9nMNACr0pcSZq9KUoiztwEivFXt6M27Ya8Hz8H+iIaVCg9yhc+PtaL9M+Dg+4B2 kxzfMYpTQl4mT4aBfZCIQOmKXwCadYR+cUFtCfgmCq4LCYJtxx421vyqBwJ5y71SNNbz S1a4tyEsXK89qL5fi6lN4oG6i3QTOwt2FNDpkMtKvBAWbylsWKJLkh0GGKe3jk8qbAFx cuPDNR3QWagQg8/yZD7VGs3hOyGbx5kB+WvAvTdXV5fMmknS4vqZM9ZrIZ/8oR2T8YhQ s23TTDSrd0L3FnrR0v2FgcaH79jWFSEU19lfStHk1mzPOZg+lP+MSonC0bN6/5s03z3T Ev9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:content-transfer-encoding; bh=dx7a5PGQbjSnp0oY/lgvx1GAmmfq06oX4j1bFloXpYY=; b=PBRqlFH52E2sJg3P/5TQ0b1gZ1M64DCE993qELi3zDre4g9MN5sScT8SEeBjcD6yoO 7xK8OBT/HG1KgH6lIO3pf9/StQo+KonCUARch6lt0xdSY6VK6yZCFVvhgAW99MV3428Q tcDKuWDjNQ8/h024ArbAytlpVENTugG8CsTajvzN++5TT55bSld1avyPQMXAvuy6E3lw T4LnY/glx+F4ChQiwc7X9pyDh+qxamIBkdWZ9IftDlCy5oVwBsfKJhXa6U325hynOREy MHo5vSo9Ce0swTn3JM/SfyXzQ6MZ1r2mDIn1VaVvTYX1ortdf+syU3xre/4MDij8VQtf J7mw==
X-Gm-Message-State: APjAAAXeTgiu3ktNm6nluFki8YVlX7q+gCYchXysbQzGkFvH7+d5RrE5 JyQa5uoKAgYC7D13zB0wP8JSI4RSJWlBdeHiH3q3TQ==
X-Google-Smtp-Source: APXvYqyxiy2VBTfdWVXq60ETukCJLgPcJSquhdCAc/DTCYvtWt/1h+yvIVI+cfoGF2SNYAzhALcFE4iWeHS1gkLL418=
X-Received: by 2002:a05:6402:b81:: with SMTP id cf1mr4878334edb.131.1582906102059; Fri, 28 Feb 2020 08:08:22 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Fri, 28 Feb 2020 08:08:21 -0800
From: Ron Alleva <ronallevatech@gmail.com>
In-Reply-To: <CANhzChNLXZBr-HaUX_jZG_kk=5gM6j79gQ0YYmy=HJ=6YFtwzw@mail.gmail.com>
References: <CANhzChNLXZBr-HaUX_jZG_kk=5gM6j79gQ0YYmy=HJ=6YFtwzw@mail.gmail.com>
MIME-Version: 1.0
Date: Fri, 28 Feb 2020 08:08:21 -0800
Message-ID: <CAEwFaX+6t0Qe1nT2UR1YJ6oxB4FoSFSs+sE3mrOX6HV-ksG1ew@mail.gmail.com>
To: Albin Nilsson <albin@bergson.nu>, oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4xYE6hy_teyaorQ7Oovc7TOtskI>
Subject: Re: [OAUTH-WG] PKCE and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 16:08:26 -0000
Hi Albin, It’s important to note that PKCE does explicitly prohibit client_secret, just offers a secure way of obtaining an access token when it’s impossible for a client_secret to be kept secret, as would be the case with a mobile application. The type of attack it prevents against is during the authorization_code flow, where a malicious app on the device could intercept the browser redirect happening, and getting the authorization_code. Since using a refresh token to get a new access token does not use the browser redirect flow, it’s not subject to that type of attack, so PKCE is not necessary. I’d imagine which ever Authorization Server you are using would allow you to get refresh tokens, and use them with or without client authentication (see section 2.3 of the OAuth spec). It may or may not require a client secret (even though said client secret is not guaranteed to be secret). Hope this helps (and I didn’t mess up any details :D), Ron On February 28, 2020 at 10:48:53 AM, Albin Nilsson (albin@bergson.nu) wrote: > Hello, > > I'm having some trouble with oauth and the Authorization Code flow and > PKCE. How can I get a refresh token? The refresh token flow requires a > client_secret, but PKCE prohibits client_secret. Is refresh token a no go? > > Kind regards, > Albin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] PKCE and refresh tokens Albin Nilsson
- Re: [OAUTH-WG] PKCE and refresh tokens Ron Alleva
- Re: [OAUTH-WG] PKCE and refresh tokens David Waite
- Re: [OAUTH-WG] PKCE and refresh tokens Naveen Agarwal