[OAUTH-WG] Refresh Token Rotation

Indeewari Wijesiri <indeewarii@gmail.com> Fri, 02 August 2024 09:15 UTC

Return-Path: <indeewarii@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A888C1519B3 for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 02:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obpdqG3g7SUr for <oauth@ietfa.amsl.com>; Fri, 2 Aug 2024 02:15:47 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A527C180B44 for <oauth@ietf.org>; Fri, 2 Aug 2024 02:15:47 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2ef2cb7d562so99859181fa.3 for <oauth@ietf.org>; Fri, 02 Aug 2024 02:15:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722590145; x=1723194945; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=86i9oeYjQRuZts4WakmE+X/Wl266K7K3GEpxAdojbQg=; b=QYOU3wRGsDUZE0WxFOEknxkY9ARnGGs5c+VLyZNl2Ap6nemBtDzPq/gfsVv/2O+/PN eCoyrxID1QDqAdMLMNFN9HyE3geDeRlbvDy97g4ma8unsADYLxj37WWOLtCjJhL60kgS J9aP95UP5o3Xi+SgWFeZHZ5sDcpSbBHYbgKW/ajA2vSJqgdcz/a1SlBRzy3N1HCWI0O1 uicW3tecm3xbI5hIcFew4ttQB9zeiuFPgEjwAUPxgpfxGfCFx+V0yJ5hGTZlgjQrG+ph fZZ4ME91LoYvSHVCMlPUSsbFbvFcL7S5P5hcjuGBegsdmcoYVip9VR4QJrdWzQDKvnuz AJ6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722590145; x=1723194945; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=86i9oeYjQRuZts4WakmE+X/Wl266K7K3GEpxAdojbQg=; b=Q+ufcDKc8yZvymG9vl3uWMpYwku0feUIslZ2/KgKAFsKBOIKL8iMivaz3r+rTEq5sc 5SNcRs1j8dfGhJZXEHEM3P8QdRtAasuR8TAMvVHSp1uospw1nGzkJ7/lfdcMEtF6f5jc kZpbDclhAT8ul42Dv7qtLKE51wEAwZx48V6PmxIJbutpnsS8/ei0vguqfy92wgCxLfXT v71v4xOPXudaFK+KWeVpSkG60cGQaAaFuIIcMMfXbyXTMt7RrTznFwXr6yZo2qWkb/Vh F0gSRsUMGU0/kDmUNZe9AKAeKXbA83xfLE/1mm7amjxJSWd34nVMEqYMwZ32iinhbeHW q+IQ==
X-Gm-Message-State: AOJu0Yw+E/joIas3OtI41zwfr5aOL436NkVkllPbupa8hK+8oR1sZI3n M2SZSh8jAtDAaEH+ReXkzYjmu4M80+m+AvigyTt8GgctOZ5Tk1B5XSLcKq/g8bCnzgEVk+atwrA UoB4TgHNl/y1j2DbeiZGarfvyVftlMTio6F0=
X-Google-Smtp-Source: AGHT+IFgwIwlHcQyncU1vQ8bGTG5JBJi+bD2Fs9rdQk4Cj7OWAVj+m9k254pasGQdcWgV8yfF7a0x9FgBLToNkeXCpI=
X-Received: by 2002:a2e:9b4b:0:b0:2ef:1f51:c4ee with SMTP id 38308e7fff4ca-2f15aa85f8emr20458761fa.9.1722590144324; Fri, 02 Aug 2024 02:15:44 -0700 (PDT)
MIME-Version: 1.0
From: Indeewari Wijesiri <indeewarii@gmail.com>
Date: Fri, 02 Aug 2024 14:45:32 +0530
Message-ID: <CADU05gP9Zn_18bsmmiUgLNVsDGN9HEurJvF30jCbT5-nx4ycMg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a570bc061eafc50f"
Message-ID-Hash: HQGHNQLHJDDTWZB4JL7JK4YQGOVKBGLZ
X-Message-ID-Hash: HQGHNQLHJDDTWZB4JL7JK4YQGOVKBGLZ
X-MailFrom: indeewarii@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Refresh Token Rotation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Eg4oeIfkKMThUpfrASHtWhy-AMY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi all,

Refresh token rotation, which involves issuing a new refresh token each
time an access token is renewed, is the default for the refresh grant. Do
we follow the same practice for the authorization code grant and password
grant as well? What is the recommended practice between long-lived refresh
tokens and refresh token rotation for these grants?

Additionally, is there a specific requirement for refresh token rotation
with JWT access tokens in the authorization code grant and password grant,
given that JWT access tokens are renewed per request?

Thanks and Regards
-- 

Indeewari Wijesiri