IETF Logo Mail Archive

Re: [OAUTH-WG] Lifetime of refresh token

Jim Manico <jim@manicode.com> Fri, 28 August 2015 21:36 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 153E81B2A8A for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUmdJWmTV-iB for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:36:49 -0700 (PDT)
Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201341B2A7F for <oauth@ietf.org>; Fri, 28 Aug 2015 14:36:49 -0700 (PDT)
Received: by pabzx8 with SMTP id zx8so74574763pab.1 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=T6FJGYau0B/wa9rkTEuaYSk1tJjL3pd3Fs2BXnSaa28=; b=RoDBq7y17URkbPQGCVFEM3x+WgtcJcPmbCA3OkcY5WSZXjEnXQLwqrA2XPGYhEZbcS k40/vaRcrqftrifn2UaX+0QW+JhYqWwqUvt+f4aWdTOhzz5IntXuyKOjpID3HUHJQhCs mI7DK/wBvCTJmRV191PkjomcKycwB4HHL7RdlXLVvdLIKK7JraihlQ8wDjwc+Cqe+tOd +3sQ+55Du+j05BCFnXxf9n7pbUo8K8MUh9nqlgKqba9mSEQ9A78V7AaLn45890sfs2M+ 7dXppU5HL4uACDW7qLJ3rZUAAZmrw4DlMLySitOgYsFE6hdyh5egIuT0yr9mKJV9hrxy P07w==
X-Gm-Message-State: ALoCoQnKFKLE0h6/3c046z3kJgRMlTZUzxYDxtqz4nCV9FwyiNhD5eLCg/3JkBAunm/igU78bFbG
X-Received: by 10.66.124.133 with SMTP id mi5mr18600959pab.92.1440797808797; Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
Received: from heembo.local ([2605:e000:112c:e0:d153:472a:c47b:5949]) by smtp.googlemail.com with ESMTPSA id xo14sm6788415pac.24.2015.08.28.14.36.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <55E0D46C.2080901@manicode.com>
Date: Fri, 28 Aug 2015 11:36:44 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------070002000003040706040501"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/J_wJ9roCOv_qvoUJhALJfg4UezU>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 21:36:52 -0000

Again, I would state that this is all contextual to the application 
being built - which is why the RFC never gives specific times other than 
"short lived" or "long lived". I would suggest giving a series of 
recommendations relative to a few different risk profiles (low risk, 
social media, banking, enterprise, etc) as opposed to one recommendation.

With respect,
Jim Manico

On 8/28/15 10:41 AM, John Bradley wrote:
> I would use a 5 min AT and roll the refresh token per 
> https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if 
> that is what you want for a inactivity timeout after which the user 
> must authenticate again.   The user can always revoke the refresh token.
>
> Rolling the refresh token also has the advantage that if the token 
> leaks or is stollen then you will detect the second use of the expired 
> refresh token and invalidate both, so the user needs to loggin.
>
> In general I think rolling the refresh token is a good idea though it 
> is not popular, I think it is more secure.
>
> John B.
>
>
>
>> On Aug 28, 2015, at 11:21 AM, Donghwan Kim 
>> <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com>> wrote:
>>
>> I'm sorry to introduce a common topic.
>>
>> As John has suggested, I'm going to design that
>>
>> * An access token should be short lived e.g. 5 minutes (not to hit 
>> the AS to verify the token or 1 hour (to hit the AS to verify the 
>> token). I'm inclined to 5 minutes for stateless architecture of RSs.
>> * A refresh token should have 1 month of expiration time by default. 
>> If it turns out that some access token expired, its refresh token 
>> should refresh the token. Then, so called persistent login can be 
>> implemented regardless of the form of authentication. Only if it 
>> fails for some reason e.g. token revocation or inactivity for 1 
>> month, a user is logged out automatically and should log in again.
>> * A refresh token should be able to be revoked somehow. With 5 
>> minutes approach, it will invalidate only the refresh token (Yes the 
>> attacker can have 5 minutes at most), and with 1 hour approach, it 
>> will invalidate the refresh token as well as the corresponding access 
>> token.
>>
>> Thanks,
>>
>> -- Donghwan
>>
>> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt 
>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>
>>     Refresh tokens are also used by public clients, e.g. native apps.
>>     OIDC allows to acquire a new id token from a refresh token as
>>     well. Note: this does not mean a fresh authentication but a
>>     refreshed id token containing the data of the original
>>     authentication transaction.
>>
>>     Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley
>>     <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
>>
>>         I think Nat’s diagram about the problems of doing pseudo
>>         authentication with OAuth is being taken out of context.
>>
>>         The refresh token dosen’t expire, it is revoked by the user
>>         or system.  In some cases refresh tokens are automatically
>>         revoked if the users session to the AS ends.  I think AOL
>>         typically revokes refresh tokens when sessions terminate.
>>
>>         OpenID Connect provides a separate id_token with a
>>         independent lifetime from the refresh token.  A client may
>>         keep a refresh token for a much longer time than the user has
>>         a login session with the AS.
>>
>>         Refresh tokens are typically used by confidential clients
>>         that are using a client secret in combination with the
>>         refresh token for getting a new access token.
>>
>>         By design access tokens should be short lived as the AS is
>>         expected to have a way of revoking refresh tokens but not
>>         access tokens.
>>         A access token that dosen't expire , and can’t be revoked is
>>         not a good idea.
>>
>>         John B.
>>
>>
>>>         On Aug 24, 2015, at 2:41 AM, Donghwan Kim
>>>         <flowersinthesand@gmail.com
>>>         <mailto:flowersinthesand@gmail.com>> wrote:
>>>
>>>         Hi,
>>>
>>>         According to Figure 2 from
>>>         http://tools.ietf.org/html/rfc6749#section-1.5, refresh
>>>         token can be used to refresh an expired access token without
>>>         requesting resource owner to sign in again (uncomfortable
>>>         experience). However, if it's true, isn't it that refresh
>>>         token might be used to request a new access token even years
>>>         later? and then isn't refresh token the same with access
>>>         token which never expires?
>>>
>>>         I intended to use refresh token to implement persistent
>>>         login by sending a refresh request before issued access
>>>         token expires (expires_in runs out). But if refresh token
>>>         works even if access token expired already, sending a
>>>         refresh request on application start up would be enough.
>>>
>>>         So I'm not sure what I'm missing about refresh token as well
>>>         as how to implement persistent login using it (you can
>>>         regard authentication here pseudo-authentication illustrated
>>>         in
>>>         https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).
>>>         What is the lifetime of refresh token?
>>>
>>>         Thanks,
>>>
>>>         -- Donghwan
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>         ------------------------------------------------------------------------
>>
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email