Re: [OAUTH-WG] Lifetime of refresh token
Jim Manico <jim@manicode.com> Fri, 28 August 2015 21:36 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 153E81B2A8A for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUmdJWmTV-iB for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 14:36:49 -0700 (PDT)
Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201341B2A7F for <oauth@ietf.org>; Fri, 28 Aug 2015 14:36:49 -0700 (PDT)
Received: by pabzx8 with SMTP id zx8so74574763pab.1 for <oauth@ietf.org>; Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=T6FJGYau0B/wa9rkTEuaYSk1tJjL3pd3Fs2BXnSaa28=; b=RoDBq7y17URkbPQGCVFEM3x+WgtcJcPmbCA3OkcY5WSZXjEnXQLwqrA2XPGYhEZbcS k40/vaRcrqftrifn2UaX+0QW+JhYqWwqUvt+f4aWdTOhzz5IntXuyKOjpID3HUHJQhCs mI7DK/wBvCTJmRV191PkjomcKycwB4HHL7RdlXLVvdLIKK7JraihlQ8wDjwc+Cqe+tOd +3sQ+55Du+j05BCFnXxf9n7pbUo8K8MUh9nqlgKqba9mSEQ9A78V7AaLn45890sfs2M+ 7dXppU5HL4uACDW7qLJ3rZUAAZmrw4DlMLySitOgYsFE6hdyh5egIuT0yr9mKJV9hrxy P07w==
X-Gm-Message-State: ALoCoQnKFKLE0h6/3c046z3kJgRMlTZUzxYDxtqz4nCV9FwyiNhD5eLCg/3JkBAunm/igU78bFbG
X-Received: by 10.66.124.133 with SMTP id mi5mr18600959pab.92.1440797808797; Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
Received: from heembo.local ([2605:e000:112c:e0:d153:472a:c47b:5949]) by smtp.googlemail.com with ESMTPSA id xo14sm6788415pac.24.2015.08.28.14.36.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:36:48 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <55E0D46C.2080901@manicode.com>
Date: Fri, 28 Aug 2015 11:36:44 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------070002000003040706040501"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/J_wJ9roCOv_qvoUJhALJfg4UezU>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 21:36:52 -0000
Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banking, enterprise, etc) as opposed to one recommendation. With respect, Jim Manico On 8/28/15 10:41 AM, John Bradley wrote: > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if > that is what you want for a inactivity timeout after which the user > must authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token > leaks or is stollen then you will detect the second use of the expired > refresh token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it > is not popular, I think it is more secure. > > John B. > > > >> On Aug 28, 2015, at 11:21 AM, Donghwan Kim >> <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com>> wrote: >> >> I'm sorry to introduce a common topic. >> >> As John has suggested, I'm going to design that >> >> * An access token should be short lived e.g. 5 minutes (not to hit >> the AS to verify the token or 1 hour (to hit the AS to verify the >> token). I'm inclined to 5 minutes for stateless architecture of RSs. >> * A refresh token should have 1 month of expiration time by default. >> If it turns out that some access token expired, its refresh token >> should refresh the token. Then, so called persistent login can be >> implemented regardless of the form of authentication. Only if it >> fails for some reason e.g. token revocation or inactivity for 1 >> month, a user is logged out automatically and should log in again. >> * A refresh token should be able to be revoked somehow. With 5 >> minutes approach, it will invalidate only the refresh token (Yes the >> attacker can have 5 minutes at most), and with 1 hour approach, it >> will invalidate the refresh token as well as the corresponding access >> token. >> >> Thanks, >> >> -- Donghwan >> >> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt >> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >> >> Refresh tokens are also used by public clients, e.g. native apps. >> OIDC allows to acquire a new id token from a refresh token as >> well. Note: this does not mean a fresh authentication but a >> refreshed id token containing the data of the original >> authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >> <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>: >> >> I think Nat’s diagram about the problems of doing pseudo >> authentication with OAuth is being taken out of context. >> >> The refresh token dosen’t expire, it is revoked by the user >> or system. In some cases refresh tokens are automatically >> revoked if the users session to the AS ends. I think AOL >> typically revokes refresh tokens when sessions terminate. >> >> OpenID Connect provides a separate id_token with a >> independent lifetime from the refresh token. A client may >> keep a refresh token for a much longer time than the user has >> a login session with the AS. >> >> Refresh tokens are typically used by confidential clients >> that are using a client secret in combination with the >> refresh token for getting a new access token. >> >> By design access tokens should be short lived as the AS is >> expected to have a way of revoking refresh tokens but not >> access tokens. >> A access token that dosen't expire , and can’t be revoked is >> not a good idea. >> >> John B. >> >> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>> <flowersinthesand@gmail.com >>> <mailto:flowersinthesand@gmail.com>> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh >>> token can be used to refresh an expired access token without >>> requesting resource owner to sign in again (uncomfortable >>> experience). However, if it's true, isn't it that refresh >>> token might be used to request a new access token even years >>> later? and then isn't refresh token the same with access >>> token which never expires? >>> >>> I intended to use refresh token to implement persistent >>> login by sending a refresh request before issued access >>> token expires (expires_in runs out). But if refresh token >>> works even if access token expired already, sending a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well >>> as how to implement persistent login using it (you can >>> regard authentication here pseudo-authentication illustrated >>> in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------------------------------------------------ >> >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura