[OAUTH-WG] Re: Refresh Token Rotation
Justin Richer <jricher@mit.edu> Fri, 02 August 2024 13:08 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD275C14EB19 for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 06:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZIqHUnZDodD for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 06:08:02 -0700 (PDT)
Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11022090.outbound.protection.outlook.com [40.93.195.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3038AC14F70F for <oauth@ietf.org>; Fri, 2 Aug 2024 06:07:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sKn1wzXU5Bv9MnN9AMmkNJHLbrweIJgyTGVsFfODlGMo/LpB9HIujATq+qppI1j+S6zhT5WYAMDvmF2mk8l41akgetKRpOpczwGb8mb+V/feZpe1iSVQlRz+CnUbylFvv6HIOlg9bGknPa4/SfftVZtsxkHA0zNk9tetjuQI4UjkGb4fScY7eQ6SxOU7ilYuwZN3IVen0NVVibsBFqkaYouE8UJaPI8h3GCNlRO2pPx3QV0gn5DppPdjnd8HX9R4XYnHnb8axUo62ZiOnx1jIXUK5orqpp33A+FiMz8OZ5FKElpRJ5cA2o3HPZpqROD0UHbjL3uTk7zOckbyUX1HVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G5gVcvljEbwSZoTuLoHKRXGoyTlUobixcNoG0CoVz5Q=; b=grpgXA2BNpvX+S2ocUCGL/19+YCdCqlqwuVDCBf5zIPvgFjHq+GaBlSGYhQ5Vheq6fDamIpBDmWpeG0WL4iZTAIHOj9S+WEv8adBeUqSKg58lXBCsn243o+3IwGFFtueB9HVYkjmZ8khbKrnMauF7gHiErd96a7mZtYgFQz9SVMNlqVbE1Jj7z8jyhAmqXR1OsqLqPzgFFQUd9SEj5rMqpS2+Jd+bdt5vqnehjWy99pPSu2/DKfTaUkwlwzVNcgmcNr1pdxwYOSUsYk10LtdIMtY235fxiT+MjJ/0xdljXzH/3RguoGxz7BYcjd31z/cnP49tZxN/BAW3BOyl0FXeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G5gVcvljEbwSZoTuLoHKRXGoyTlUobixcNoG0CoVz5Q=; b=Ep2VYc9kFFbLiSHvyJgX5tdSO48leTzvOk4X9/DYBe+73fnvPmgKKltEN6Cgz/nbtE5HzmF4hkwxeWruzYXnEC7rFhvcu08COL+TM+TLQTOC+oQGMWoERnMFJgF0aghCGcDqN1Z5MGp++Kxc0PjBDJQh3UoHfC0Qjk4YzioegYc=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by CO1PR01MB9084.prod.exchangelabs.com (2603:10b6:303:271::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.19; Fri, 2 Aug 2024 12:50:49 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%6]) with mapi id 15.20.7828.023; Fri, 2 Aug 2024 12:50:49 +0000
From: Justin Richer <jricher@mit.edu>
To: Indeewari Wijesiri <indeewarii@gmail.com>, Warren Parad <wparad@rhosys.ch>
Thread-Topic: [OAUTH-WG] Re: Refresh Token Rotation
Thread-Index: AQHa5MxlGB1hFS9N50OyvqmvfhicuLIT1u4AgAATqxo=
Date: Fri, 02 Aug 2024 12:50:49 +0000
Message-ID: <LV8PR01MB86774D0F4A183E9E92B31044BDB32@LV8PR01MB8677.prod.exchangelabs.com>
References: <CADU05gP9Zn_18bsmmiUgLNVsDGN9HEurJvF30jCbT5-nx4ycMg@mail.gmail.com> <CAJot-L2qJBRfgc2CpnokjP2Dk8iwJ9L7UDBuj+j6a+D6JG99oQ@mail.gmail.com> <CADU05gMuKgptBKVqQQoJY-HiYizbCAdy+eV3eYo8QAUmtzn7Mg@mail.gmail.com>
In-Reply-To: <CADU05gMuKgptBKVqQQoJY-HiYizbCAdy+eV3eYo8QAUmtzn7Mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|CO1PR01MB9084:EE_
x-ms-office365-filtering-correlation-id: 188ea512-7968-4605-f04d-08dcb2f1bc2a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: HwnHC7N50UuAJPNVr7RcumdACM6L5HapyuYAm78DJ+W3//peax2jS+lU4Yq6iB7xOIoVMGqr4kjAkAZwffp5UHNWwgtLDt96tFHlss1ktMzeqwKRoT3b4xfgrw7VSoXw756XB2D2wnoAiSf2RF2rBl1DaMRffEfmK5XAhcC7RFIfeelr5dH3LtOlTsD0JeRFKajepMqV9cA54XoDuqIH6rSceusx+75+8iNd67Mb/OWk2RxSEdSirZNAl6f7P6NzpvtshfagjNBoVC+T/r+/nAsSWCuEOg/fdYoFIdw0MECTpvd/aD2EVYOBEUILQLWL5KLDOJiiwkxuoVMHC9lUWqbqUIazO5DG5K7MEqmbNJQWo9RojjDiWoUvTRFnP5O3epb35MvNAeIi5qZ4OSw1IBHUTKFCT6BDCx6ETTyD5Xbr+kZj00QYsxINZiROHxROAOUtGxZKCQM/mzb0NLEcaZmDNCUPds4ZaHPIjNGl4ZXtC9c4rrrvlpZNZ3duOjyZ49/5fu7C8Ss7X8tLUBRVgZgPUCLsEUPsx53t/Y0pG53q9r6uXYQssww60EFc/DW3khiy0CStavf/xVeBvEEaQr2ZEekRT8nzL4KixOzGpb4KjCz+hUlPS6wlTGEc/OsvvYCUFnaPzJOZeFU/duXVWWvzLaTCN/nLYICD2+KVY9MMYMTIW/JcnRwIYhzcYif2XVChIcdrsucBseN8uXAM2aE5/U7+rIBH+N4+x0k5wNBybG3+CmR/wj1Qkz7f547o77H8Iev6l9mR1TX5/IFhfChENTVZBadAWHAnpVDq9QP40pyxitCEnLhHVJVEsPYeLG2Tt2lB+PDzuy2x2yA45ilL1PGncuJWaETJkidLeogTH2f9vfnVlrEFWm4f03F5GoAbfFzy5kPX9HgaZdv9erFGQltlQVFrLu+gw5IYTSAZwUl7Hzjq+wTVqjrB0YHYqCUdGQXUrKZtGHLyO61QerswOfU2B6GID8d5yBwLKi2l3lG7ORSmtTVibir0tdO+xj62/zwe7ASWWS6zSYCnbQ9NzYrRRHVkzlepHLfDAWJy5x8J8gcCjwQtEOIrfjdP6IH4mnXdEukP1w1riwQtIf2+pzwH7ZpRoa2Wr01+bEkSUp6NY+HyW8eQety7Fc/OY3pqOlRRy8bEoOWm7H+5M5DevpJ7nzYiPixazbe/1GpJ+ks/wKkIwQ0nv3ZVLWIwUJW5psbF8To90pJmYwC85VNo/26AhEkOPDSjZWbi6jh4lrtwsHLruwP65JqB0lH1OvyVG3+mcTpwsM7mdq+U+S7qRt/o3x8RRPyA7uyzyPa8fManKXzC0nkpkdJRmN00W+kh9oewjkt+8PrRTiH5LoKcfOgDkyV3UNiKt3vmTwqeEyFlph/mQ0td+p3+Qw5rrTNdkQKqd46cbTaqE9kV+g==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uo7HrkmnmGkOKdq7ULs7axD+KWL7R/8SxcbLZVdLvR0kV61kYAquztDBZA7eqhQtBvORoa4NihH9Z/3QWDcY/m1GI/ud/fUibFsM3ayA75UUFYzp+wuuPrPZp+X9bpz9vn1wsdcKCrn+noPMire11tEhtInuI/AECKo0vz0de3XF+q3xWW8K9a1KP0iKOicv+dSyUO+a199Z4X0EEQp+3UmqEkNWoRatNaXRGg3KsbJCyy5aOHqL2KI0oW9iEBfSf7OUINvL3sVLg/f6OdIctKS1uqPerW/mdOD7qL4Gq/WL1Pnina/r6SxMcqBHXGfHKX4kmXD4noz7U7pTfxQ38YB9vxDsdd4l2TNwJ2Vah1R0APQqLf0lvfC+dmuTwmXJy7HEtXYSOgDXT4r8vIr42+JxANrZ0/ADDveJXTsepc/4FKlxrxcdoW8WQSWswf1bhxhkdgPEXZav5exY2TXnsQF3YwvhklRHTuADDT0RO17C5EK8MPscUETzsldd8UA5fA5E0TTUHK/gL0Wnod2Dfl4gmUn2NYkGiC4T+J4yuxzCOsjibd96pF8p3X7Ghplz/bCjkSWk6UJXFzbVWIDvHzU42BdUPHnQvYG1yRV3oitreDwXbZs8eoxhzl/5RrRGCUT0A0XDnJmaB9SgsAZsiSE+wI+KglZSZdphDrfH7C/B9FYN+zV9GxJmaIo3O0eKfX8QWflCBAQrJsHsqyqhq1JJ5P4bjDFqkJzTkbk1GLXrQvRsqGOI74oMeL7zHGU1XFSJuArLF/mAP86ZWRiKUBeZRvyXRKQSt/Z5iz+1R3DZ9XXig9uCUmLgM6lbPO+bMXUnWGVQNxgdX7m85067iAk8EhQVrwYksEwlVV7DtGWfGXsUweHX5QuxixbkwM5I1oqDVjMDepZfFGqBIR2xMzigg949xQza+g1j3V64bL8/usGF5+l0JyzvrSpGhKWVrwjYulSe+Xjho7s96jW53EP5HZRmxna7ccS0Ex44clol+C18NI/nt4cxnL6TlT4FAmIptfOJmOog6qno7RnQOPJqzDYhV2a8XysGjkyDS7mUNns5FwD0Bilk28IOQ7gMObSRxUFoOJ/furjQvJazRNM5dS1AeKQFDyqERHAKaZOReft64LYqV5NePzd2HBZeQS6a06wVL24QxF6STZ/B9d4i/rOes4zdPNeHJGmJ1lCc5VPY9sFqCEM4MUV6OBcuAkYCcjeVcTYnDa8yftkOHxbVLAUGH1qnfKxjB72C5F9J659shEi1vUwKwizmJD19pbvucZAdVkqJBujUSVVN3EPDiL32ZrCqT+ERW6zXkRB/zLm4riqOG6IRCWFtKujnzPU3R3/jF4rZzwQ52MdUAlOYmrXYC0b/d08qr0REcMi7qZNI10Svaa+XvTxbUUpxOk3bGab3y0OBylzP8DNjqDGCCe/dkPgy2vRNt+rXkIvjyduQYm7hRMP+zixTv1Do4UdbXtsizFOyrDo+nlZJtCVNZ87M/1d6QbOdKep/GXsRj2vI3uvvwaOQ65ei3A8HZ3kYXSPRXKloY4OjMBFBh6P3k2fEQLOF/t7fvImoPsA=
Content-Type: multipart/alternative; boundary="_000_LV8PR01MB86774D0F4A183E9E92B31044BDB32LV8PR01MB8677prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 188ea512-7968-4605-f04d-08dcb2f1bc2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2024 12:50:49.2947 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9gbSIC2cMXJerfNlN89ZihnaJG8on8/J1b+cnqt4df9ovlZsKekj4ZL+fncohorU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR01MB9084
Message-ID-Hash: IBXU46DS5Y75YBE3OS6JXHD2PHI3LY7G
X-Message-ID-Hash: IBXU46DS5Y75YBE3OS6JXHD2PHI3LY7G
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Refresh Token Rotation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CQ4jrALcjpiGiPphoFeP6YfEUG8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
The token lifetime is independent of whether the access token a JWT or unstructured. You should get a new access token for every new grant request. If you get a refresh token from the auth code response, it's expected to be a new value and unrelated to any previous ones because it's a new grant. And since you can't use the auth code more than once, the rest of your question goes astray - there is nothing to rotate because it's all new. It doesn't matter how you got a refresh token, it's always up to the AS whether it wants to rotate the value when you use it. - Justin ________________________________ From: Indeewari Wijesiri <indeewarii@gmail.com> Sent: Friday, August 2, 2024 7:36 AM To: Warren Parad <wparad@rhosys.ch> Cc: oauth@ietf.org <oauth@ietf.org> Subject: [OAUTH-WG] Re: Refresh Token Rotation Hi Warren, Thank you for your attention. When public web clients use the authorization code grant for authentication, a successful response includes an access token and, optionally, a refresh token. If the access token is a JWT rather than an opaque token, the identity server will issue a new JWT access token for each authentication request with the same client_id and scope, based on the "issued at" (iat) claim. This means each authentication attempt generates a new JWT access token. In this context, how should the refresh token behave? Is it advisable to use a long-lived refresh token in conjunction with the JWT access token, or should the refresh token be rotated each time a new JWT access token is issued? For opaque access tokens, since they are not renewed with each request, a long-lived refresh token can be used. Thanks and regards On Fri, Aug 2, 2024 at 4:38 PM Warren Parad <wparad@rhosys.ch<mailto:wparad@rhosys.ch>> wrote: Indeewari, I'm confused regarding what you are describing. Would you be able to give additional context? - Warren On Fri, Aug 2, 2024 at 11:25 AM Indeewari Wijesiri <indeewarii@gmail.com<mailto:indeewarii@gmail.com>> wrote: Hi all, Refresh token rotation, which involves issuing a new refresh token each time an access token is renewed, is the default for the refresh grant. Do we follow the same practice for the authorization code grant and password grant as well? What is the recommended practice between long-lived refresh tokens and refresh token rotation for these grants? Additionally, is there a specific requirement for refresh token rotation with JWT access tokens in the authorization code grant and password grant, given that JWT access tokens are renewed per request? Thanks and Regards -- Indeewari Wijesiri _______________________________________________ OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org> To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org> -- Indeewari Wijesiri Associate Technical Lead, WSO2 Inc
- [OAUTH-WG] Refresh Token Rotation Indeewari Wijesiri
- [OAUTH-WG] Re: Refresh Token Rotation Warren Parad
- [OAUTH-WG] Re: Refresh Token Rotation Indeewari Wijesiri
- [OAUTH-WG] Re: Refresh Token Rotation Justin Richer
- [OAUTH-WG] Re: Refresh Token Rotation Aaron Parecki
- [OAUTH-WG] Re: Refresh Token Rotation David Waite