Re: [OAUTH-WG] Refresh tokens
William Mills <wmills@yahoo-inc.com> Mon, 28 November 2011 17:09 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E430F21F8B03 for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 09:09:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.998
X-Spam-Level:
X-Spam-Status: No, score=-16.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fw++BiRJjle7 for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 09:09:45 -0800 (PST)
Received: from nm25.bullet.mail.ac4.yahoo.com (nm25.bullet.mail.ac4.yahoo.com [98.139.52.222]) by ietfa.amsl.com (Postfix) with SMTP id 0B8BE21F899F for <oauth@ietf.org>; Mon, 28 Nov 2011 09:09:44 -0800 (PST)
Received: from [98.139.52.196] by nm25.bullet.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000
Received: from [98.139.52.141] by tm9.bullet.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000
Received: from [127.0.0.1] by omp1024.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 626960.86199.bm@omp1024.mail.ac4.yahoo.com
Received: (qmail 68252 invoked by uid 60001); 28 Nov 2011 17:09:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322500179; bh=z5xN9EqFFANXMRMKTj+Hm9j7QbOxsh79u20vP9TqLQk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=TBHlJJ/Zf91i85eJZ1C0nPjjRcr+OU348CXJ+e8igBzuXPbVra0TiL1kIM/zABhkl2EDAjv3l57GxufuLduyG+o6z08Z1s65nEZV8kdbyjB3T4Iu+2hkj5UUwofYR1nZP9MAujUNJbRAH7yY2xNoS/kpogNfD+66JfrzXEhElns=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=pUKHHTS/Vw9GppRdSBHBMw8U3VXiWc/i+MQZ/H+nlDPN2E278fBUwBfTRUSfH8eOJOXxQLlxhtlHziNOTevKgFIQd+BxCTVUVTRekRveKsCVzQl/DvxCiHhb7rXfLDTO1DlFrPajBaFGGX3VBt7RWj6GYPFkV0zMwatOVvaDo/Y=;
X-YMail-OSG: 7egukr8VM1lan6MMUqLrIBJa0Kxqv97aMMjfN_5zANg9W.f wbLUTNSftRR0oygmEfhT9jOW9ZDjhA1lYErk67O_Dxs3lS5TSEkFthJn_MZu HstudaFof035Ivi1.dUaz8PAhtWmVqS8qAtPuA6e2LSxLOpUccGwwrrUqZu0 G3TykLth8TataoieADx5xJGRZT628fjPWHv8rjuhOFIuj5dOg8sl4h_7sBTj gdLY5mp8wTsY3ddhpK8Lz1.aqjFszAkEGwBXuoBf3a7lWMqvoHDGYIsw5biY hf_Q8.FjHn458flc0BTEBzgLSZZvyGFUECGJr8ImnIpSXry5r7eazio9giYX xRxsX4vKyZLZcvjY3a1SZ12eUid.XVqggR6gbt_49XPy2Ph2s61K.BYYBd7T dtmFmfgsECPeCzRRY.AL10Hw3uARILCPkAQ6iXjCRlmIc87gcT_HfljWkMFv cQJJxkDj9eFfK
Received: from [99.31.212.42] by web31801.mail.mud.yahoo.com via HTTP; Mon, 28 Nov 2011 09:09:38 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.331203
References: <AEDA1B65E9329448939CEFA895C129E203850B04@studentserver.studentennet.local>
Message-ID: <1322500178.60395.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Mon, 28 Nov 2011 09:09:38 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Bart Wiegmans <bart@all4students.nl>, oauth WG <oauth@ietf.org>
In-Reply-To: <AEDA1B65E9329448939CEFA895C129E203850B04@studentserver.studentennet.local>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-368338466-1668142724-1322500178=:60395"
Subject: Re: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 17:09:46 -0000
1&2) Yep. This is why flows using Refresh Tokens must always use SSL. 3) Refresh tokens are comparable to access tokens in that you can scope them etc. In fact it makes a great deal of sense to limit them in the same way the access tokens are limited. 4) The answer here depends on the security requirements for your app. It all depends on whether you feel the client can keep a secret, either a MAC signing secret or a token. Whether you store them on disk or not depends a lot on how you'd plan to store them, if it's in a browser then you're pretty much trusting the user level file security on the computer. 5) Not sure, might be that Eran wanted to generalize it so as not to be putting specific authentication scheme constructs into the base framework. -bill ________________________________ From: Bart Wiegmans <bart@all4students.nl> To: oauth WG <oauth@ietf.org> Sent: Monday, November 28, 2011 7:20 AM Subject: Re: [OAUTH-WG] Refresh tokens I forgot the following question: 5. If refresh taken are just another way of requesting access tokens, I believe they should be specified in section 4, with other grant types. But there must be a reason for the way it is now, so why? With kind regards, Bart Wiegmans | Developer -----Oorspronkelijk bericht----- Van: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] Namens Bart Wiegmans Verzonden: maandag 28 november 2011 16:13 Aan: oauth WG Onderwerp: [OAUTH-WG] Refresh tokens Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens? About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type. With kind regards, Bart Wiegmans | Developer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens Kris Selden
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens William J. Mills
- Re: [OAUTH-WG] Refresh tokens Brian Eaton
- Re: [OAUTH-WG] Refresh tokens Phil Hunt
- Re: [OAUTH-WG] Refresh tokens Lodderstedt, Torsten
- [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens Bart Wiegmans
- Re: [OAUTH-WG] Refresh tokens William Mills
- Re: [OAUTH-WG] Refresh tokens Eran Hammer-Lahav