Re: [OAUTH-WG] Refresh tokens
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 28 November 2011 23:23 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A9D21F8B4A for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 15:23:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNUQxZk043JK for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 15:23:08 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id B731421F8B43 for <oauth@ietf.org>; Mon, 28 Nov 2011 15:23:07 -0800 (PST)
Received: (qmail 14072 invoked from network); 28 Nov 2011 23:23:06 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 28 Nov 2011 23:23:05 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 28 Nov 2011 16:22:50 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: William Mills <wmills@yahoo-inc.com>, Bart Wiegmans <bart@all4students.nl>, oauth WG <oauth@ietf.org>
Date: Mon, 28 Nov 2011 16:22:46 -0700
Thread-Topic: [OAUTH-WG] Refresh tokens
Thread-Index: AcyuJKU7Oh0cL+HvTx2fPp2vBn8jAw==
Message-ID: <CAF957B1.B51F%eran@hueniverse.com>
In-Reply-To: <1322500178.60395.YahooMailNeo@web31801.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CAF957B1B51Feranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 23:23:10 -0000
Re: #5 It was part of section 4 but people found it more confusing. EHL From: William Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>> Reply-To: William Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>> Date: Mon, 28 Nov 2011 10:09:38 -0700 To: Bart Wiegmans <bart@all4students.nl<mailto:bart@all4students.nl>>, oauth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] Refresh tokens 1&2) Yep. This is why flows using Refresh Tokens must always use SSL. 3) Refresh tokens are comparable to access tokens in that you can scope them etc. In fact it makes a great deal of sense to limit them in the same way the access tokens are limited. 4) The answer here depends on the security requirements for your app. It all depends on whether you feel the client can keep a secret, either a MAC signing secret or a token. Whether you store them on disk or not depends a lot on how you'd plan to store them, if it's in a browser then you're pretty much trusting the user level file security on the computer. 5) Not sure, might be that Eran wanted to generalize it so as not to be putting specific authentication scheme constructs into the base framework. -bill ________________________________ From: Bart Wiegmans <bart@all4students.nl<mailto:bart@all4students.nl>> To: oauth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Monday, November 28, 2011 7:20 AM Subject: Re: [OAUTH-WG] Refresh tokens I forgot the following question: 5. If refresh taken are just another way of requesting access tokens, I believe they should be specified in section 4, with other grant types. But there must be a reason for the way it is now, so why? With kind regards, Bart Wiegmans | Developer -----Oorspronkelijk bericht----- Van: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] Namens Bart Wiegmans Verzonden: maandag 28 november 2011 16:13 Aan: oauth WG Onderwerp: [OAUTH-WG] Refresh tokens Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net<http://studenten.net>. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens? About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type. With kind regards, Bart Wiegmans | Developer _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Kris Selden
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens William J. Mills
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Phil Hunt
- Re: [OAUTH-WG] Refresh tokens Lodderstedt, Torsten
- [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens William Mills
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav