IETF Logo Mail Archive

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 24 August 2022 14:53 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E30C152590 for <oauth@ietfa.amsl.com>; Wed, 24 Aug 2022 07:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tUL1tAFkkl4s for <oauth@ietfa.amsl.com>; Wed, 24 Aug 2022 07:53:26 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2FCC14CE36 for <oauth@ietf.org>; Wed, 24 Aug 2022 07:53:26 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id kk26so4320532ejc.11 for <oauth@ietf.org>; Wed, 24 Aug 2022 07:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc; bh=ZyPnl40Q61PZJ/fUKYpDd/rbVk9cWV9NvGzLxc2Wdys=; b=Pv+IJqcu99BCb6XGShEo3gxGnlRQ3VqAq5ohjcIpDOo5JCZZ/oxb4+Tfjcdqo9G6dp I0lueKlf+G0jgEWXjmbg/WIsbp1rwLeqzidrVmS4skjwXvxGhJdaY8SDU8eS2iRillmI SWmI3JATlGhx53nfx7ekPvG1Lc8OmPySNgM9Z28sxW8GLoSpYp9Tr1lWL4cVqF0JH+io L/k3W67xNqnK1GQv0gwfFfSSs6pFqhlihz8axRONwX74b5ojlY8IXVGfZ+j6KIvHI/+z C4LoBvFbv8WEaD64Gw1oY6FPmgaKMadayCLxPoGY7bRUuCO5yxqkV6bFdM4BqN23NypM QWRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc; bh=ZyPnl40Q61PZJ/fUKYpDd/rbVk9cWV9NvGzLxc2Wdys=; b=hLhLsVqPRRDCKqCCkLaNsm89qjh61hLueQePjz1KsvwFcd33uhQZkoFxBse7h+oD6n QO3SDhpuJvhIj9f8kkDa02ucV9uycot1/Rsbok+vB1b+dMIv2PoRA76ZsFXANP7VWqfv N/3ulCPUJbXWWrI4ElsXqTi95i+AP5wBunhQ5thJy4CQr5bqe1RyF3DvadZXMHkt9/6+ g0lIF98bJQ5kijfKiOVor3K6hxF9s0T2PQ6n9dAR9FGYVCTqDV/R34Wgehb1owWgrP4X l6ki92VW0nILAZ7UBgN3/6aBRoBEzaJZCNG0eHcQCrrFf2gBjCwRNLCAJiPyXA6iyHuZ COmA==
X-Gm-Message-State: ACgBeo2dH8f3+z2WY8Sce4KkHkYG9LbRmCj1g66lOBpgZ01CUQ5AYOwC V9ZYbsxfqvXT4rhEvrFTdTEslg==
X-Google-Smtp-Source: AA6agR4WBSpxP3EeK3G3zcFPeOt7acqr5hWaqesoRI9+CI9TGW/n+2ekNxHLmCJjQvhvi8X/LV4xpA==
X-Received: by 2002:a17:907:da9:b0:731:1a5:8c66 with SMTP id go41-20020a1709070da900b0073101a58c66mr3172920ejc.80.1661352804458; Wed, 24 Aug 2022 07:53:24 -0700 (PDT)
Received: from smtpclient.apple (p549ee9b7.dip0.t-ipconnect.de. [84.158.233.183]) by smtp.gmail.com with ESMTPSA id w5-20020aa7cb45000000b00445b822005dsm3226188edt.6.2022.08.24.07.53.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Aug 2022 07:53:23 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <DDBBF80B-87F1-4211-AA69-33D51F9C7789@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E111A37B-5102-4910-965B-0501557C5195"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 24 Aug 2022 16:53:22 +0200
In-Reply-To: <CAODMz5HK5gLv4atQgMxn1e13b8kW29=tXCiDY5Q9+2gJX209zQ@mail.gmail.com>
Cc: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>, oauth@ietf.org
To: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>
References: <006c01d8ad93$776364f0$662a2ed0$@association.ge> <007201d8ad94$710026b0$53007410$@association.ge> <CA+k3eCSzUaNiO=NpqT5284+JQK=fDK_uGP_QuD65M_J5oWdWzA@mail.gmail.com> <00c001d8adae$5f33ba90$1d9b2fb0$@association.ge> <CAODMz5HZESoLP+ZfhgwLOmFWHo13AanrfchTBMubVU55CDSROg@mail.gmail.com> <49c224f2-13a1-6580-51a4-5f2f1c28ba39@hackmanit.de> <CAODMz5HK5gLv4atQgMxn1e13b8kW29=tXCiDY5Q9+2gJX209zQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JtwfnsGrKt87d2qbX-h0PeWGq9I>
Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2022 14:53:30 -0000

Hi, 

the consent is not bound to the code. As you correctly pointed out, the code is a temporary artifact. It’s purpose is to bridge insecure frontchannel communication to more secure backchannel communication. You don’t need to preserve the code in order to preserve the consent. The code is merely intended to be a reference to the consent (or grant). So even if the code expires, the consent can be preserved and updated in the AS. In the simplest case, it is transferred to the refresh token. In more sophisticated implementations, the consent is a first class object in the AS. 

best regards,
Torsten.  

> Am 19.08.2022 um 16:23 schrieb Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>:
> 
> Hi Karsten,
> 
> Thx a lot for all the time and effort in explaining the things. This brings up an important discussion point as we are revising OAuth 2.0. Do we need to make the authorization code a temporary token? Section 1.3.1 of the draft RFC states:
> An authorization code is a temporary credential used to obtain an access token. 
> Here, I am only considering the case of human interaction where it is necessary to take the consent of the human (resource owner) before granting access to his protected resources. As I have already mentioned in the trail mail, OAuth is a two step process: Step 1: Take consent from the user. Step 2: Handover that consent to the third party to access resources on the user's behalf. 
> 
> Now, if we make authorization code a temporary artifact, we will never be able to go back to the previous step and will have to per-force start the process again. Now, with RFC 8705 client applications can be identified with the private key, which are also of rotating nature. We also have DPoP and certificate thumbprints coming up. Then, how wise it is to discard this important token and start all over again.
> 
> So, my recommendation is not to make the authorization code temporary especially when used with DPoP and thumbprint cnf. This will reduce the headache of asking the consent from a human user because the refresh token expired.
> 
> For kind consideration of the members please.
> 
> Regards and Best Wishes
> Jaimandeep Singh 
> 
> On Fri, Aug 19, 2022 at 7:07 PM Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de <mailto:karsten.meyerzuselhausen@hackmanit.de>> wrote:
> Hi Jaimandeep,
> 
> I disagree with both of your points. See my comments inline.
> 
> Best regards,
> Karsten
> 
> On 12.08.2022 05:40, Jaimandeep Singh wrote:
>> Hi Mikheil,
>> 1. Well explained by Brain. I will just add my perspective.
>> >From the practical perspective, if the confidential client got a refresh
>> token for the offline access and sufficient time (e.g., for a month), this
>> would be quite impractical and not very user-friendly to ask a lot of users
>> to give consents again when the confidential client wants to upgrade its
>> certificate. But seems like software vendors did not interpret the RFC that
>> way.
>> For confidential clients, authorization code flow is recommended. It is a two step process. In the first step you get the authorization code when the user provides his/her consent. In the second step you use this authorization code along with client credentials to obtain access tokens and refresh tokens. If the refresh token expires either due to expiry of its lifetime or certificate, it only needs to follow step two. So, the question of asking for consent again does not arise unless the authorization code itself has limited lifespan.
> IMHO authorization codes should always be implemented as one-time-use tokens. Even when there is a grace period allowing a client to redeem a code a second time (e.g., in case of network failure) this period should be very short - much shorter than the validity of refresh tokens in practice.
> 
> If the refresh token is expired, the client should start a new authorization flow and ask the user for consent again unless the AS provides a way for users to grant access for clients "permanently".
> 
>> 
>> 2.
>> While RFC 8705 indeed requires binding refresh token to the certificate in
>> case of the public clients in Section 4 and Section 7.1
>> The RFC 8705 talks about public clients and refresh tokens in the same breath and seems to have legitimized the use of refresh tokens for public clients. However, if we look at the original OAuth 2.0 specifications RFC 6749,             Section 4.2, talks about implicit grant optimized for public clients. It does not support issuing refresh tokens by AS in the first place. I think there is a need to deliberate on this issue in the next update / errata  for RFC 8705.
> RFC 6749 is much older than RFC 8705. Both drafts "OAuth 2.0 Security Best Current Practice" (hopefully soon to be finished) and OAuth 2.1 deprecate issuing access tokens from the authorization endpoint (which is more or less the implicit grant). Today's best practice is to use the authorization code grant for both confidential and public clients. Therefore, I do not think there is a need for an updated RFC replacing 8705.
> 
> 
> 
>> 
>> Regards and Best Wishes
>> Jaimandeep Singh
>> 
>> 
>> On Thu, Aug 11, 2022 at 11:46 PM <mikheil@association.ge <mailto:mikheil@association.ge>> wrote:
>> Hi Brian,
>> 
>> Thanks for the prompt response. We will work with our vendors to get this done according to the RFC.
>> 
>> Best Regards,
>> Mikheil Kapanadze
>> 
>> From: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> 
>> Sent: ხუთშაბათი, 11 აგვისტო, 2022 21:04
>> To: mikheil@association.ge <mailto:mikheil@association.ge>
>> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
>> 
>> Hi Mikheil, 
>> 
>> Your assumption is the correct reading of the RFC. Or the intent of the RFC anyway. For confidential clients, refresh tokens are bound to the client id (not the certificate thumbprint or anything else for that matter).
>> 
>> RFCs can't be changed after publication so adding more clarification isn't really possible. 
>> 
>> 
>> 
>> On Thu, Aug 11, 2022 at 9:11 AM <mailto:mikheil@association.ge <mailto:mikheil@association.ge>> wrote:
>> Hi,
>> 
>> I have noticed is that some OAuth2 AS implementations use certificate
>> thumbprints to bind not only access tokens but also refresh tokens to client
>> certificates. This happens for both public and confidential clients. As a
>> result, when the certificate is replaced (e.g., it is about to expire soon),
>> both access and refresh tokens are drawn unusable. 
>> 
>> While RFC 8705 indeed requires binding refresh token to the certificate in
>> case of the public clients in Section 4 and Section 7.1, the wording is not
>> that explicit for the confidential clients. More specifically, Section 7.1
>> of the RFC 8705 is worded in a way which does not explicitly deny keeping
>> refresh tokens alive after certificate change: it talks about binding to
>> client ID, thus binding "indirectly" to the certificate. Also, Section 6.3
>> requires access tokens to be invalidated after certificate change and
>> mentions refresh tokens as typical tools for renewing them. 
>> 
>> >From the practical perspective, if the confidential client got a refresh
>> token for the offline access and sufficient time (e.g., for a month), this
>> would be quite impractical and not very user-friendly to ask a lot of users
>> to give consents again when the confidential client wants to upgrade its
>> certificate. But seems like software vendors did not interpret the RFC that
>> way.
>> 
>> So, the questions:
>> 1) Is my assumption correct and it will not be a violation of the RFC if
>> refresh tokens issued to the confidential clients survive certificate change
>> (e.g., by binding them to Client ID, not the certificate thumbprint)? 
>> 2) If the answer on the 1st question is “yes”, would it be better to provide
>> more clarification in the section 7.1 to avoid misinterpretations in the
>> future?
>> 
>> Best Regards,
>> Mikheil Kapanadze            
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> --
>> Regards and Best Wishes
>> Jaimandeep Singh
>> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> -- 
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de <https://hackmanit.de/> | IT Security Consulting, Penetration Testing, Security Training
> 
> Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog:
> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks <https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks>
> 
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
> 
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
> 
> 
> -- 
> Regards and Best Wishes
> Jaimandeep Singh
> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email