Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?
Andrii Deinega <andrii.deinega@gmail.com> Mon, 02 March 2020 05:11 UTC
Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFAE93A0BD7 for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2020 21:11:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kGq80CeVXOu7 for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2020 21:11:53 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5EA43A0BDB for <oauth@ietf.org>; Sun, 1 Mar 2020 21:11:52 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id r7so10829032wro.2 for <oauth@ietf.org>; Sun, 01 Mar 2020 21:11:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4wc4OI67X7zmahJAzwqq3YQiGHKMd9O48mXFvHFlDe0=; b=EqgyrAfgYBhC7SZro/bJx7JRV3tXFsG67mPqvWMNw8gKHpfpqHAwHFFR/9aPnPAGas VA/KJ2QB3J5ee/LYrV/BRlptUOMJnmujvxXVwAmNjGWp/T/EPFYfrkhzQIjJbNMG5L6Y L3XI7uACUWvUljI5SNX0dfldLJ5RzgSZvk0y8TDrbE1hR60zBTHWbw6c1cuNe4OOg0P+ Y2okOSL35K9WW8g4oHDchcpWM50Btf8x5845BNr3tgiJSBDLm4IuX1dUcqBpSUj8bxyS SX2nTBOTr6OnnwkQ1ijPQxe9A6x7cI7T2TkLS+EGOsvwPnU/sKGMsAdQYFCdCpUjOJXr Q7wA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4wc4OI67X7zmahJAzwqq3YQiGHKMd9O48mXFvHFlDe0=; b=Z4Q8ulIMWTwOml7zUJRVS2fnLzMn5ImavVtBLR/z4jXEDiky8K1HuOIbTgB0p3uT6z ROt55/cPAEjhSsSnmuMDdpghJRNilgAEmOt8iQdG26r9HYfFECgk3GH61clhRrIU/id6 ZcPFJyTHtgfov4zBHHIIfuuvQIZEkmnKIhi5YKf2BTQcWg8V+lu4lS3WnRE1aMtteWuf 38C9n/1Ff3Q94r5dRrjTvXNKutTY9EfquypukHEzvv7K0fzeZT4Km9Iupt9SQvj+NiBn h59Rm2rFMpSO8uLWFdWfYZufljFx82PUg31Fe6KaIfZnqW0ECoLJqy282eeJwIZH2qKQ 2AYw==
X-Gm-Message-State: APjAAAWN3S2/Vo7PCIhA6ST6LihoKzu4gQf/0h6Jj9Bim+P/PTZOmaxc SRs9fn6KtYM6PvUq0zuayASuGZD3iO7Xc/mo0xjCV5l3fgnuQw==
X-Google-Smtp-Source: APXvYqwk3bYj9PLE6XK2XvbNjOTDhUipzKJ8YcfVS0lkRotM5wWM90ndCE5oH+kcLdTUlkVgHYftm4ZfmQlxoKeM/Ns=
X-Received: by 2002:a5d:5286:: with SMTP id c6mr13552019wrv.418.1583125911381; Sun, 01 Mar 2020 21:11:51 -0800 (PST)
MIME-Version: 1.0
References: <CAErhd0OLTMKxXnT-_X6DyWYUxe==gTXdcHKLjOEDTmXCUZNxrg@mail.gmail.com> <CALkShcuLTd02iu309dCZ8PtnzbKd5b9PsVS_DWUMGWXgFovwMg@mail.gmail.com> <C0C40A3E-2455-4C86-B504-AB18F31975D9@alkaline-solutions.com>
In-Reply-To: <C0C40A3E-2455-4C86-B504-AB18F31975D9@alkaline-solutions.com>
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Sun, 01 Mar 2020 21:11:40 -0800
Message-ID: <CALkShct=sYSq-HoG=yMiV2BqT8+F=gnej+p2GgFD87FV1OQu3w@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Bill Jung <bjung=40pingidentity.com@dmarc.ietf.org>, oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/E3NerK7j5U0gogt1Oy1g5AjKueI>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 05:12:00 -0000
How would the authorization server know who actually uses the introspection endpoint assuming that a protected resource and a client application use the same credentials (client_id and client_secret)? Regards, Andrii On Sun, Mar 1, 2020 at 7:38 PM David Waite <david@alkaline-solutions.com> wrote: > > I would expect the AS to invalidate the refresh token in this case, which would not require a refresh token mode nor necessarily any signaling back to the resource. > > -DW > > > On Mar 1, 2020, at 12:12 AM, Andrii Deinega <andrii.deinega@gmail.com> wrote: > > > > Hello Bill, > > > > I'm just thinking out loud about possible scenarios for a protected > > resource here... It may decide to revoke a refresh token if a client > > application tried to use it instead of an access token when the > > protected resource is paranoid about security. In order to do that an > > introspection response should include a non-standard parameter which > > indicates that the requested token is refresh_token. > > > > A user of the introspection endpoint should rely only on a value of > > the active parameter (which is a boolean indicator) of the endpoint > > response. This applies to both types of tokens. Note, the expiration > > date, as well as other parameters, are defined as optional in the > > specification. Both token types can be revoked before the expiration > > date comes even if this parameter is presented as part of the > > response. In my opinion, there are a number of reasons why this check > > (for a refresh token) can be useful on the client application side. > > > > -- > > Regards, > > Andrii > > > > > > On Fri, Feb 28, 2020 at 1:59 AM Bill Jung > > <bjung=40pingidentity.com@dmarc.ietf.org> wrote: > >> > >> Hello, hopefully I am using the right email address. > >> > >> Simply put, can this spec be enhanced to clarify "Who can use the introspection endpoint for a refresh token? A resource provider or a client app or both?" > >> > >> RFC7662 clearly mentions that the user of introspection endpoint is a 'protected resource' and that makes sense for an access token. If we allow this to client apps, it'll give unnecessary token information to them. > >> However, the spec also mentions that refresh tokens can also be used against the endpoint. > >> In case of refresh tokens, user of the endpoint should be a client app because refresh tokens are used by clients to get another access token. (Cannot imagine how/why a resource server would introspect a refresh token) > >> > >> Is it correct to assume that the endpoint should be allowed to client apps if they want to examine refresh token's expiry time? Then the RFC should clearly mention it. > >> > >> Thanks in advance. > >> > >> <Details from the spec> > >> In https://tools.ietf.org/html/rfc7662 > >> In '1. Introduction' section says, > >> "This specification defines a protocol that allows authorized > >> protected resources to query the authorization server to determine > >> the set of metadata for a given token that was presented to them by > >> an OAuth 2.0 client." > >> Above makes clear that user of the endpoint is a "protected resource". > >> > >> And under 'token' in '2.1. Introspection Request' section says, > >> "For refresh tokens, > >> this is the "refresh_token" value returned from the token endpoint > >> as defined in OAuth 2.0 [RFC6749], Section 5.1." > >> So looks like a refresh token is allowed for this endpoint. > >> > >> > >> Bill Jung > >> Manager, Response Engineering > >> bjung@pingidentity.com > >> w: +1 604.697.7037 > >> Connect with us: > >> > >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth 2.0 Token Introspection in RFC76… Bill Jung
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… David Skaife
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Andrii Deinega
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Andrii Deinega
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… David Waite
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Andrii Deinega
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… David Waite
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Bill Jung
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Bill Jung
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Bill Jung
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Andrii Deinega
- Re: [OAUTH-WG] OAuth 2.0 Token Introspection in R… Torsten Lodderstedt