[OAUTH-WG] Re: Refresh Token Rotation
Indeewari Wijesiri <indeewarii@gmail.com> Fri, 02 August 2024 11:37 UTC
Return-Path: <indeewarii@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4756BC14F6FD for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 04:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhDgUwPRjlEI for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 04:37:04 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5B7C14F6EC for <oauth@ietf.org>; Fri, 2 Aug 2024 04:37:04 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2f15dd0b489so9695321fa.3 for <oauth@ietf.org>; Fri, 02 Aug 2024 04:37:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722598623; x=1723203423; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jIMi1zCnoug7irt24b+/5MQLpq+Vr1fOsQj4MOzVvVQ=; b=HHl4HllMoyXoK39IdQs4ynDrOsis+T0IScqFQTDN3Yenc9DC501AIAHzBdR4v14Pk/ zm7258t8aD9GGIzxzmgWlLVmPAvW+Mtf56p0InGnmETwbetPNa2zzbI8OHs27z5i82uX KED42T9+ICi4t/1TSJsu9ij6sR2TiATdeVl9JzHYML756R0ru5mEfBYH8/TW2YwxZ7iK vcsb0mtfHL5iU6jhaUUCnhPCurlrXpO/ut2fU4rR9hBFDY5cojMvMdXJr7dgo1aEA10R yVLvQ2TT7igjolaaQV8E3KT8e/UVMS8/jLR9Ban0lyKrPM5zsfzgHXXOdfTCUinGE4fz KfZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722598623; x=1723203423; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jIMi1zCnoug7irt24b+/5MQLpq+Vr1fOsQj4MOzVvVQ=; b=RJbtvJvWI/C7GdYnKkqFzTzyMR4/7tLMJj7Jl7hBGd3Lxp8EKnr6GkiEqbnjlLbfBI GrIe+pjKORrZlt66z6f+FM7DJY8Q61UZCy9AQbFgKPklbhrIqIj9ozRQGIAYaBtxpjtH sdYhwFAvjcCtgKymmivefza7hKaEsXoY5AVMf9In4hLYmx9ffAl4RDrO2UOh74kUVWUz bqgAjZG713XmVmFisDmM8INwYQ91G/um7+MKp1mUru971VDfuMZycFSFvvg0358fEu7f OS5tuAFviPpaFFGsDqNuoDr0WR1FtiyOXxQR4sJwA517b4Sc7kj6SYgusS9SQ5FOo6Xn 4N9Q==
X-Gm-Message-State: AOJu0YyofC2AwrAQKaeo/kFEQQDRHFvlB2qcrHwgP2CG+xgxNhXGVxoN J5DDMMSaCkgZDMaQxna4W4Ic4ZA53skXUnbzODneHQ8Pn0D+Nw9nbsyk5/EtpanOgBzAVvr7Ii4 NvnSq9EUKqP073pTMfdeELia0ZZjTUCeFhbY=
X-Google-Smtp-Source: AGHT+IETYKvGDB7Ozdbu5hkoDzRiiqWpnn/NT6oPMXkVK4iotigHfvI7k6Zy8+719w59WhLq3Wi6+at+pgxbUov2dQs=
X-Received: by 2002:a2e:320c:0:b0:2ee:d5c3:388b with SMTP id 38308e7fff4ca-2f15ab06368mr21853101fa.39.1722598622555; Fri, 02 Aug 2024 04:37:02 -0700 (PDT)
MIME-Version: 1.0
References: <CADU05gP9Zn_18bsmmiUgLNVsDGN9HEurJvF30jCbT5-nx4ycMg@mail.gmail.com> <CAJot-L2qJBRfgc2CpnokjP2Dk8iwJ9L7UDBuj+j6a+D6JG99oQ@mail.gmail.com>
In-Reply-To: <CAJot-L2qJBRfgc2CpnokjP2Dk8iwJ9L7UDBuj+j6a+D6JG99oQ@mail.gmail.com>
From: Indeewari Wijesiri <indeewarii@gmail.com>
Date: Fri, 02 Aug 2024 17:06:50 +0530
Message-ID: <CADU05gMuKgptBKVqQQoJY-HiYizbCAdy+eV3eYo8QAUmtzn7Mg@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Content-Type: multipart/alternative; boundary="000000000000fcf693061eb1be58"
Message-ID-Hash: KALQGFKSPJF33YAMNAIQBPZUCTFMI3R2
X-Message-ID-Hash: KALQGFKSPJF33YAMNAIQBPZUCTFMI3R2
X-MailFrom: indeewarii@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Refresh Token Rotation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5mo7lDhCvRgANEkZZTY-uwNaOiA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Warren, Thank you for your attention. When public web clients use the authorization code grant for authentication, a successful response includes an access token and, optionally, a refresh token. If the access token is a JWT rather than an opaque token, the identity server will issue a new JWT access token for each authentication request with the same client_id and scope, based on the "issued at" (iat) claim. This means each authentication attempt generates a new JWT access token. In this context, how should the refresh token behave? Is it advisable to use a long-lived refresh token in conjunction with the JWT access token, or should the refresh token be rotated each time a new JWT access token is issued? For opaque access tokens, since they are not renewed with each request, a long-lived refresh token can be used. Thanks and regards On Fri, Aug 2, 2024 at 4:38 PM Warren Parad <wparad@rhosys.ch> wrote: > Indeewari, > > I'm confused regarding what you are describing. Would you be able to give > additional context? > > - Warren > > On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri <indeewarii@gmail.com> > wrote: > >> Hi all, >> >> Refresh token rotation, which involves issuing a new refresh token each >> time an access token is renewed, is the default for the refresh grant. Do >> we follow the same practice for the authorization code grant and password >> grant as well? What is the recommended practice between long-lived refresh >> tokens and refresh token rotation for these grants? >> >> Additionally, is there a specific requirement for refresh token rotation >> with JWT access tokens in the authorization code grant and password grant, >> given that JWT access tokens are renewed per request? >> >> Thanks and Regards >> -- >> >> Indeewari Wijesiri >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> > -- Indeewari Wijesiri Associate Technical Lead, WSO2 Inc
- [OAUTH-WG] Refresh Token Rotation Indeewari Wijesiri
- [OAUTH-WG] Re: Refresh Token Rotation Aaron Parecki
- [OAUTH-WG] Re: Refresh Token Rotation Warren Parad
- [OAUTH-WG] Re: Refresh Token Rotation Indeewari Wijesiri
- [OAUTH-WG] Re: Refresh Token Rotation Justin Richer
- [OAUTH-WG] Re: Refresh Token Rotation David Waite