[OAUTH-WG] DPoP + Token Revocation
Dmitry Telegin <dmitryt@backbase.com> Thu, 10 February 2022 00:19 UTC
Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69153A0FB0 for <oauth@ietfa.amsl.com>; Wed, 9 Feb 2022 16:19:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEZftoJ4JRQC for <oauth@ietfa.amsl.com>; Wed, 9 Feb 2022 16:19:03 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AD953A0F64 for <oauth@ietf.org>; Wed, 9 Feb 2022 16:18:57 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id k10so2740045ljq.2 for <oauth@ietf.org>; Wed, 09 Feb 2022 16:18:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=C5Gb8ajmitxIq7EOKyZO/PoJXy4I6S0HU6rCjTOJi3s=; b=b95Xb77kd7jEzC0KollA9ollJx/cd/L1+olsuqRvfQsJpJ2usJZBzb7H0wHb61cFRv JAi9dB/Q0nYdKMdhoQCmzDU2UYPPsJuTbLn/aZt6sBh0CzWBuBAV4Xe9dg1i4ETUFfgo fMcqxcXA3yifZTxYDyod4ak/mm3hkfGujC8S5hpgm61AOslSgTdwO3zQJaVqFazgZcDb kG4Hi5K4/YO9XmKfs8oM8rxuIRa58ZKlY7o8G2tIlt82iGmRAAJqGLgW6XF9lApJ/iBS nnn5M7ikTCj76rsGimSmn2rSCm+fo/w7YHT+45F96oGuGO7UT4LLd9u/+nmri29YScQp WV7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=C5Gb8ajmitxIq7EOKyZO/PoJXy4I6S0HU6rCjTOJi3s=; b=wuF3nRuptgry/q345vHT1Sb23ATxCd/RxWSoRvqyj3EH3C9EX/xlsqPdFUAHzhyN4+ YP/j+Tn4omwQMnhe3yQ52UuNEvKkDVMMJDQ7Gcik9Q3EcpiwY4zuKUfdjUN38zn/ih7f jbzDtTYIKGNwE+X+Xg2xaN8IUU7S+hA5kh09ma5Ee4J5X4fndn3tm2kqqiPCWy3fGdYP 2Ja8XbWWOYEublgmeSupQAYSZfgsCxXCSKfECfb4WI3AQugtL3ol94OHxtw9vFB8gcaV /N6GgSE/ARwl2c28XoUtM0ZQDl4Ec/c8rgj6MADE0aDbnJzD4Nx+hLn5FcCjjWmRnm3R /JIQ==
X-Gm-Message-State: AOAM530427LYaoDWjpKdn4pZkEn/a3kpY2+qf8QRHxA38fAJdc/pcZyq McyhvXVB1+dYzXkHJpzOw26m9pS21yZTCoTCD13fPv5ZvAI=
X-Google-Smtp-Source: ABdhPJxlgYzeIMm44SzDi4bCI2Q9tXNaaTMl4ZdWr2Bu7oQBsEXFihqgWo+IvdMC40+wRTnOkCwD9pVMV+EaNwXgo6s=
X-Received: by 2002:a2e:97cf:: with SMTP id m15mr3265230ljj.316.1644452334641; Wed, 09 Feb 2022 16:18:54 -0800 (PST)
MIME-Version: 1.0
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Thu, 10 Feb 2022 03:18:43 +0300
Message-ID: <CAOtx8D=7Rgjx=n4xC8wrKYYE4gGgwuhNfEEy7Eqz1UPpSO06zA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000042244005d79ee5e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IWov_fU6i7E9dFtnqlQPw6bAeTA>
Subject: [OAUTH-WG] DPoP + Token Revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 00:19:08 -0000
Could we perhaps be a little bit more specific on the relationship between DPoP and OAuth 2.0 Token Revocation (RFC 7009)? I believe that if we constrain *some* token lifecycle events (issuance, refresh), we should constrain *all*, revocation included (please correct me if I'm wrong). There seem to be no direct attack vectors here, but indirect ones might be possible. For example, by revoking an exfiltrated refresh token, thus killing the session, the attacker could force the user to reauthenticate at the moment the attacker would be ready to steal credentials. Dmitry Backbase / Keycloak
- [OAUTH-WG] DPoP + Token Revocation Dmitry Telegin
- Re: [OAUTH-WG] DPoP + Token Revocation Warren Parad
- Re: [OAUTH-WG] DPoP + Token Revocation Filip Skokan