Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 11 March 2020 09:20 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6F23A158A for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2020 02:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ls9tvZkllmQ6 for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2020 02:20:29 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02A293A1588 for <oauth@ietf.org>; Wed, 11 Mar 2020 02:20:28 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id s14so1567282wrt.8 for <oauth@ietf.org>; Wed, 11 Mar 2020 02:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=BKIMb+arMr0TTemRg/cog8HRvoysLkjD8Zp9Qol/5wY=; b=sFjV/xXmgzW/YT8aH+sdz9FtuthF7Cc1P69JdR3R3LepEA8lqx7OvJwzjABYArQWRy gws8iaY9HDihWKNkBAFC2FTwiKGaSajO9q2gPFubVf9tGld9no1Ng43WQd6iZL2XtGMo z+E7ngARBX9EcD47QfDTobWn+9r/7M0gFILG4lTmtSDtQGO1y9TrfYJbQgdvVceebetk Fm1iHGYPCvMerNOBTIuBKLrESHK9rT5iTpRVqowh0y6vFet3uJwu3UtuiF0WrtXnduS2 vCwDxBm5vHnlA7m6XNgR649Zjiv2Ai5vNkYsD7J8q9VLa8SYtUeaxaAs7Y4R+pprZPIp +FuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=BKIMb+arMr0TTemRg/cog8HRvoysLkjD8Zp9Qol/5wY=; b=ZthQ9gbhshjNZjpwE3Ve7+SXM0IKzQkiSU/dv8D8EVns3UkX4IETJx/d306DgbEb1J tNcilT3MUB8pKae6QLjZSCOjGNwDRollwCcrLosF/gVRQArGJZC+izUueLdFubrhw+Pg 3h+i6aFDpJdImNdHHNlkijq+XgKC/Fj0EICjrzxeAgZXNnMEQjTD3+FafOIyTUjmCzk1 MrGq/FGKI78CQ35W5b1jjNTd7uJ/x3VLrh69i5PIzRZbbIgvYXkie5rrd8ysic98dWfq /qffy0TnVn8KTg1lM8/8uXVr6o44QdOZoaOWbAHJsQXI60nULHVEX5c8H++kWnDOLzUz Mp5A==
X-Gm-Message-State: ANhLgQ23qFGeh0Wi/GBaPXYrLUgcR009T29FejNZWdi7WHE1tq5uRjDw OKNfW8nV1tSWGsVn/W1DRIVzfg==
X-Google-Smtp-Source: ADFU+vuHbdcbbQZARnEDF/ADhJwcR35SGADbr3YrIak7OXvtHa4Qm/8e4UgyRGBEhmxUGnVqst/8cw==
X-Received: by 2002:a5d:420c:: with SMTP id n12mr3393301wrq.173.1583918426952; Wed, 11 Mar 2020 02:20:26 -0700 (PDT)
Received: from p200300eb8f11fde3a134ebf7eee72cf8.dip0.t-ipconnect.de (p200300EB8F11FDE3A134EBF7EEE72CF8.dip0.t-ipconnect.de. [2003:eb:8f11:fde3:a134:ebf7:eee7:2cf8]) by smtp.gmail.com with ESMTPSA id l17sm8597331wmg.23.2020.03.11.02.20.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Mar 2020 02:20:26 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <C590F29A-3B23-4202-937D-14566C116BFF@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_16A752A0-D990-41C1-9979-AC1C58D53CFC"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Wed, 11 Mar 2020 10:20:25 +0100
In-Reply-To: <CALkShctZhK-UT9r187uvjxX47-24gnqTbWevwswsNWyL-=3cxw@mail.gmail.com>
Cc: Justin Richer <jricher@mit.edu>, Bill Jung <bjung=40pingidentity.com@dmarc.ietf.org>, oauth@ietf.org
To: Andrii Deinega <andrii.deinega@gmail.com>
References: <CAErhd0OLTMKxXnT-_X6DyWYUxe==gTXdcHKLjOEDTmXCUZNxrg@mail.gmail.com> <CALkShcuLTd02iu309dCZ8PtnzbKd5b9PsVS_DWUMGWXgFovwMg@mail.gmail.com> <C0C40A3E-2455-4C86-B504-AB18F31975D9@alkaline-solutions.com> <CALkShct=sYSq-HoG=yMiV2BqT8+F=gnej+p2GgFD87FV1OQu3w@mail.gmail.com> <D3D1BFB8-CE54-4E48-A8B9-45E01ED2B637@alkaline-solutions.com> <CAErhd0PkNzFTVgjSS24RzjKZ+sq2Hubhr3j_hmnbtgLuQgOGhQ@mail.gmail.com> <7C1D0E68-5D7B-4C0A-AE13-D513AB8723DE@mit.edu> <CAErhd0Ov7v8TMnmwpOaqnrS-FXKZP2fa_FZ37XQ5SPOWzbH3Mg@mail.gmail.com> <CALkShctZhK-UT9r187uvjxX47-24gnqTbWevwswsNWyL-=3cxw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7sijYxKy_3R_fiRUSlSJewWvdnA>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 09:20:33 -0000

Hi Andrii,

> On 10. Mar 2020, at 22:11, Andrii Deinega <andrii.deinega@gmail.com> wrote:
> 
> Justin,
> 
> Aren’t these things considered as valid concerns?
> 
> The introspection endpoint allows to introspect a refresh token for
> its consumers whether they are clients or RSs assuming they were
> successfully authenticated using one or another way.
> 
> There are lots of projects which act like OAuth & OIDC proxies (or
> just as HTTP request filters) for RSs and what they basically do is
> check whether an access token is valid. The problem here, as I
> described before, that an attacker or even a misbehaving client may
> start to use a refresh instead of an access token which in the worst
> case allows to have access to RSs for a lifetime of the refresh token.
> 
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-introspection-response-08
> doesn't shed light on this thing too, at least for me, and even states
> that "OAuth 2.0 Token Introspection [RFC7662] specifies a method for a
> protected resource to query an OAuth 2.0 authorization server to
> determine the state of an access token and obtain data associated with
> the access token." in the introduction section. Although, RFC7662
> allows us to introspect two types of tokens with no issues.

As editor of this draft, I take the liberty to jump in here. 

draft-ietf-oauth-jwt-introspection-response-08 is not intended to be used in conjunction with refresh tokens, simply because there is no use case for refresh tokens. The objective is to provide RSs access token data with additional security properties by signing and encrypting it. This is typically required if the RS needs to proof that the AS provided this data to the RS. 

> 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14 as
> well as other documents I saw (for example "An Extensive Formal
> Security Analysis of the OpenID Financial-grade API" at
> https://arxiv.org/abs/1901.11520) neither cover this thing.

I assume because no-one could image RSs accepting refresh tokens. I also don’t see a use case for it and would strongly advise against it because it violates the security assumptions around refresh tokens. 

A client could theorectially use the token introspection endpoint and introspect a refresh token, but AS cannot do more than either not supporting refresh token introspection at all or provide a very small set of data for refresh tokens, basically active and scope. 

I don’t see how an attacker could utilize this to gain access to RSs but I agree this assumptions/advise needs to be clearly stated. 

best regards,
Torsten. 

> 
> Could you please, clarify these things?
> 
> Regards,
> Andrii
> 
> 
> On Wed, Mar 4, 2020 at 2:06 PM Bill Jung
> <bjung=40pingidentity.com@dmarc.ietf.org> wrote:
>> 
>> Yep, I agree. But that's just me agreeing with it. Unless the spec clearly says it everybody will throw different ideas and use cases. That's why I want the spec to clarify this.
>> 
>> On Wed, Mar 4, 2020, 1:42 PM Justin Richer, <jricher@mit.edu> wrote:
>>> 
>>> Why would the client need to know the refresh token’s expiry? Can’t they just use the refresh token and see? Either way it’s a single round trip to the AS and the client gets the same answer with the same recovery code path.
>>> 
>>> — Justin
>>> 
>>> On Mar 4, 2020, at 2:01 PM, Bill Jung <bjung=40pingidentity.com@dmarc.ietf.org> wrote:
>>> 
>>> The question started when some RPs (client apps) asked that AS allow introspection endpoint to RPs so that RPs can check their refresh token's expiry. If AS allows this, which the spec is not clear about, then AS needs to know if the request is coming from RP or RS so that AS can allow the Access Token introspection to RS only. But then is that the right thing to do even?
>>> 
>>> Surely some clarification will eliminate the time spent on unnecessary discussion among developers.
>>> 
>>> Bill Jung
>>> Manager, Response Engineering
>>> bjung@pingidentity.com
>>> w: +1 604.697.7037
>>> Connect with us:
>>> 
>>> 
>>> On Sun, Mar 1, 2020 at 9:33 PM David Waite <david=40alkaline-solutions.com@dmarc.ietf.org> wrote:
>>>> 
>>>> On Mar 1, 2020, at 10:11 PM, Andrii Deinega <andrii.deinega@gmail.com> wrote:
>>>>> 
>>>>> How would the authorization server know who actually uses the
>>>>> introspection endpoint assuming that a protected resource and a client
>>>>> application use the same credentials (client_id and client_secret)?
>>>> 
>>>> In the external context, you have a client accessing a protected resource with an access token. The client should treat the token as opaque, and RFC7662 makes no allowances for that client to introspect its tokens.
>>>> 
>>>> If you control both the client and protected resource, you may decide to short-cut and have them share credentials. However, the client logic still should never be introspecting the tokens.
>>>> 
>>>> The security considerations also say that you must prove the authentication of the protected resource, which I have interpreted to mean that access tokens used to authorize the call to the introspection endpoint must be issued to a confidential client - public clients cannot protect credentials to perform an authentication. You want to limit introspection to prevent denial of service and probing attacks, and to limit the amount of information on viable attacks conveyed if someone steals a token.
>>>> 
>>>> -DW
>>>> 
>>>>> 
>>>>> Regards,
>>>>> Andrii
>>>>> 
>>>>> On Sun, Mar 1, 2020 at 7:38 PM David Waite <david@alkaline-solutions.com> wrote:
>>>>>> 
>>>>>> I would expect the AS to invalidate the refresh token in this case, which would not require a refresh token mode nor necessarily any signaling back to the resource.
>>>>>> 
>>>>>> -DW
>>>>>> 
>>>>>>> On Mar 1, 2020, at 12:12 AM, Andrii Deinega <andrii.deinega@gmail.com> wrote:
>>>>>>> 
>>>>>>> Hello Bill,
>>>>>>> 
>>>>>>> I'm just thinking out loud about possible scenarios for a protected
>>>>>>> resource here... It may decide to revoke a refresh token if a client
>>>>>>> application tried to use it instead of an access token when the
>>>>>>> protected resource is paranoid about security. In order to do that an
>>>>>>> introspection response should include a non-standard parameter which
>>>>>>> indicates that the requested token is refresh_token.
>>>>>>> 
>>>>>>> A user of the introspection endpoint should rely only on a value of
>>>>>>> the active parameter (which is a boolean indicator) of the endpoint
>>>>>>> response. This applies to both types of tokens. Note, the expiration
>>>>>>> date, as well as other parameters, are defined as optional in the
>>>>>>> specification.. Both token types can be revoked before the expiration
>>>>>>> date comes even if this parameter is presented as part of the
>>>>>>> response. In my opinion, there are a number of reasons why this check
>>>>>>> (for a refresh token) can be useful on the client application side.
>>>>>>> 
>>>>>>> --
>>>>>>> Regards,
>>>>>>> Andrii
>>>>>>> 
>>>>>>> 
>>>>>>> On Fri, Feb 28, 2020 at 1:59 AM Bill Jung
>>>>>>> <bjung=40pingidentity.com@dmarc.ietf.org> wrote:
>>>>>>>> 
>>>>>>>> Hello, hopefully I am using the right email address.
>>>>>>>> 
>>>>>>>> Simply put, can this spec be enhanced to clarify "Who can use the introspection endpoint for a refresh token? A resource provider or a client app or both?"
>>>>>>>> 
>>>>>>>> RFC7662 clearly mentions that the user of introspection endpoint is a 'protected resource' and that makes sense for an access token. If we allow this to client apps, it'll give unnecessary token information to them.
>>>>>>>> However, the spec also mentions that refresh tokens can also be used against the endpoint.
>>>>>>>> In case of refresh tokens, user of the endpoint should be a client app because refresh tokens are used by clients to get another access token. (Cannot imagine how/why a resource server would introspect a refresh token)
>>>>>>>> 
>>>>>>>> Is it correct to assume that the endpoint should be allowed to client apps if they want to examine refresh token's expiry time? Then the RFC should clearly mention it.
>>>>>>>> 
>>>>>>>> Thanks in advance.
>>>>>>>> 
>>>>>>>> <Details from the spec>
>>>>>>>> In https://tools.ietf.org/html/rfc7662
>>>>>>>> In '1.  Introduction' section says,
>>>>>>>> "This specification defines a protocol that allows authorized
>>>>>>>> protected resources to query the authorization server to determine
>>>>>>>> the set of metadata for a given token that was presented to them by
>>>>>>>> an OAuth 2.0 client."
>>>>>>>> Above makes clear that user of the endpoint is a "protected resource".
>>>>>>>> 
>>>>>>>> And under 'token' in '2.1.  Introspection Request' section says,
>>>>>>>> "For refresh tokens,
>>>>>>>> this is the "refresh_token" value returned from the token endpoint
>>>>>>>> as defined in OAuth 2.0 [RFC6749], Section 5.1."
>>>>>>>> So looks like a refresh token is allowed for this endpoint..
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Bill Jung
>>>>>>>> Manager, Response Engineering
>>>>>>>> bjung@pingidentity.com
>>>>>>>> w: +1 604.697.7037
>>>>>>>> Connect with us:
>>>>>>>> 
>>>>>>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf..org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>> 
>>> 
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth