Re: [OAUTH-WG] Lifetime of refresh token
Justin Richer <jricher@mit.edu> Mon, 24 August 2015 14:45 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C563F1A1BE5 for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 07:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKYjlKk8xEls for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 07:45:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 142781A1BDA for <oauth@ietf.org>; Mon, 24 Aug 2015 07:45:55 -0700 (PDT)
X-AuditID: 1209190d-f796f6d000005314-31-55db2e22cec1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 82.F7.21268.22E2BD55; Mon, 24 Aug 2015 10:45:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7OEjsNY009039; Mon, 24 Aug 2015 10:45:54 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7OEjqH6015732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Aug 2015 10:45:53 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_5BB500D5-F93A-4EB7-B266-239E0BB3EBCA"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com>
Date: Mon, 24 Aug 2015 10:45:51 -0400
Message-Id: <DB44F4C2-3AC4-4622-9B1A-28631B71F5CE@mit.edu>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com>
To: Donghwan Kim <flowersinthesand@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixG6noqukdzvUYMIKE4sVC78wWpx8+4rN gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4MqYfraXqWC7ScXsPadYGxhf6nQxcnJICJhI fHn4nxnCFpO4cG89WxcjF4eQwGImiftnpjBCOBsZJU7MgnEeMklM/7uSCaSFWSBBYt/B2Wwg Nq+AnsSrW5dZQWxhAUOJ0xtmMoLYbAKqEtPXtIDVcwoESnSeX84OYrMAxSduaAVazQE0R12i /aQLxBgriQt7p4CNFBIIkHhy5QNYq4iArsSbS7dZIS6Vldj9+xHTBEaBWUiumIXkCoi4tsSy ha+ZIWxNif3dy1kwxTUkOr9NZF3AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10gvN7NELzWl dBMjKOA5JXl3ML47qHSIUYCDUYmHd4XZrVAh1sSy4srcQ4ySHExKorw3NG+HCvEl5adUZiQW Z8QXleakFh9ilOBgVhLhzWEHyvGmJFZWpRblw6SkOViUxHk3/eALERJITyxJzU5NLUgtgsnK cHAoSfCW6wI1ChalpqdWpGXmlCCkmTg4QYbzAA13AKnhLS5IzC3OTIfIn2JUlBLn3aUDlBAA SWSU5sH1whLSK0ZxoFeEeXeAVPEAkxlc9yugwUxAg9/n3QQZXJKIkJJqYNSKm51aKqfwU/7F 1l/XqyMeM68oaJpl5fvj8c3V3etsHorNPT27Z6uuK/8Gi6CXO5acU7sd6P96ttRxkVdBpade iIrPF31wJahl/wPjN+5VLx1Nsy27NSuYjzdrvbq8ckJu+XRtsbjtZ7hki9+fCLrR0sLndaA3 OoE/eucqgVupnUevzpNOmafEUpyRaKjFXFScCABhKpPLIwMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/7bRnkLixqaTl_kqNQ3imwZEELgk>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 14:45:59 -0000
The lifetime of a refresh token is up to the AS — they can expire, be revoked, etc. The difference between a refresh token and an access token is the audience: the refresh token only goes back to the AS, the access token goes to the RS. Also, just getting an access token doesn’t mean the user’s logged in. In fact, the user might not even be there anymore, which is actually the intended use case of the refresh token. Refreshing the access token will give you access to an API on the user’s behalf, it will not tell you if the user’s there. OpenID Connect doesn’t just give you user information from an access token, it also gives you an ID token. This is a separate piece of data that’s directed at the client itself, not the AS or the RS. In OIDC, you should only consider someone actually “logged in” by the protocol if you can get a fresh ID token. Refreshing it is not likely to be enough. — Justin > On Aug 24, 2015, at 1:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote: > > Hi, > > According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5 <http://tools.ietf.org/html/rfc6749#section-1.5>, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires? > > I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough. > > So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg <https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg>). What is the lifetime of refresh token? > > Thanks, > > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura