Re: [OAUTH-WG] Lifetime of refresh token
"Nat Sakimura" <n-sakimura@nri.co.jp> Tue, 01 September 2015 10:08 UTC
Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EC9B1B5ABA for <oauth@ietfa.amsl.com>; Tue, 1 Sep 2015 03:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.609
X-Spam-Level: **
X-Spam-Status: No, score=2.609 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTYR1JTS2S7F for <oauth@ietfa.amsl.com>; Tue, 1 Sep 2015 03:08:06 -0700 (PDT)
Received: from nrifs02.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66A41B7C5C for <oauth@ietf.org>; Tue, 1 Sep 2015 03:07:07 -0700 (PDT)
Received: from nriea03.index.or.jp (unknown [172.19.246.38]) by nrifs02.index.or.jp (Postfix) with SMTP id 3957E19688A; Tue, 1 Sep 2015 19:07:06 +0900 (JST)
Received: from nrims00b.nri.co.jp ([192.50.135.12]) by nriea03.index.or.jp (unknown) with ESMTP id t81A757p000388; Tue, 1 Sep 2015 19:07:06 +0900
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id t81A75W1016184; Tue, 1 Sep 2015 19:07:05 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id t81A75PE016183; Tue, 1 Sep 2015 19:07:05 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf14.index.or.jp ([172.100.25.23]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id t81A753d016180; Tue, 1 Sep 2015 19:07:05 +0900
From: Nat Sakimura <n-sakimura@nri.co.jp>
To: 'John Bradley' <ve7jtb@ve7jtb.com>, 'Donghwan Kim' <flowersinthesand@gmail.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com>
In-Reply-To: <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com>
Date: Tue, 01 Sep 2015 19:07:06 +0900
Message-ID: <03a001d0e49d$f4d5b8f0$de812ad0$@nri.co.jp>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_03A1_01D0E4E9.64BFAAE0"
X-Mailer: Microsoft Outlook 15.0
X-MailAdviser: 20150401
Thread-Index: AQJDtk7dG+Ls5gtA16bKkfXo7cQ3ZwMtHEfJnShmERA=
Content-Language: ja
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/FOszHUji-jbPeHJRjaG6ayCqT-c>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 10:08:08 -0000
Right. I wrote “pseudo-authentication” because it does not qualify as authentication. In another word, I am saying “DO NOT DO IT.” -- Nat Sakimura < <mailto:n-sakimura@nri.co.jp> n-sakimura@nri.co.jp> Nomura Research Institute, Ltd. PLEASE READ: The information contained in this e-mail is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system. From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Tuesday, August 25, 2015 12:08 AM To: Donghwan Kim <flowersinthesand@gmail.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context. The refresh token dosen’t expire, it is revoked by the user or system. In some cases refresh tokens are automatically revoked if the users session to the AS ends. I think AOL typically revokes refresh tokens when sessions terminate. OpenID Connect provides a separate id_token with a independent lifetime from the refresh token. A client may keep a refresh token for a much longer time than the user has a login session with the AS. Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token. By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens. A access token that dosen't expire , and can’t be revoked is not a good idea. John B. On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com> > wrote: Hi, According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires? I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough. So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token? Thanks, -- Donghwan _______________________________________________ OAuth mailing list OAuth@ietf.org <mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura