Re: [OAUTH-WG] Implementation questions around refresh token rotation

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 12 October 2020 09:15 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3575A3A139F for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2020 02:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9I2fHxQPYKmm for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2020 02:15:21 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 655E73A13A1 for <oauth@ietf.org>; Mon, 12 Oct 2020 02:15:21 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id e22so22220337ejr.4 for <oauth@ietf.org>; Mon, 12 Oct 2020 02:15:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=B+zu8Z6IFjR6XvnClH+JN2G0wxIU10R1/8gzOZNTusU=; b=KHhxaa2jd0OWE0BgNNmtN9YgmVi8pl4h2cIvCPtHBQYoh0AppDG/ZhghyLbJZDT4KK nRloJthzndtNnME/0twNQsjb41AFFeVlWOzDG8H4YZTRkrBoBWc4NwVSl1eN78YtmXgs yOX91GiGk7vSFExVflEnVHmnUs6HcAmpXkWUeFEQVv2Kfj5l8adl8dpsj13Ms4m5p5uL F0885LZcpAm0p+CYvnAex0DB0U3poXgRfYBRQY5peWT/l9SW7gPVwBF8PIkJV2fCR76h C5HmBusXwvj7qZ52QuSh+77HtyKVCFyZMEvUGSr+WuI4mgFHna4IqLkxcVWUtCf3qmgd b6Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=B+zu8Z6IFjR6XvnClH+JN2G0wxIU10R1/8gzOZNTusU=; b=Lp1OJ1dpSSMAtN4Kmz4KdEnocuwjGu06Am26IQRy7tOVKT+5XVdiRvQrqq+MVLPryO HvOPY4bfA2ba8gm+DP+hhHy1EPkrDsdLZdG7PsZndhwh5gkLZiSakpgEe90/YRIrZKlD fWlXokNRU1LqroFPp3oQNuLlJVGcrNPLXJbs7ew0X+Xzt5zJJOxnlUe1WmW3RP9QHUY0 oxGrOTlDmPTu2WbdI2DTjk4cv/UgvQWL+VbLEj5Hp83B5cgTQpUO0MbFck3MTmMcIQ3w 3rvX2zH7mMU3zhHQtJ2u5v4XS1Mu03n8ORKORsxNIcpjfzW4qUDNKhh709kp1qTcTXmB GMhA==
X-Gm-Message-State: AOAM533PvaHT7sr5OK3OF32Wy42XwkH/7Kj/pvxplrMiQlbjR0DBPEsG x5CdiItLgTontJycKcsZw3lV/w==
X-Google-Smtp-Source: ABdhPJz3W+XL4F4935cs0VQZERSmMSTgflSZp8RyDGxWNLxNNHazNefaLrCEu546xgWC8KCX832nvQ==
X-Received: by 2002:a17:906:9702:: with SMTP id k2mr4556348ejx.494.1602494117707; Mon, 12 Oct 2020 02:15:17 -0700 (PDT)
Received: from ?IPv6:2003:eb:8f1e:2acb:f17f:cd59:cd54:7b42? (p200300eb8f1e2acbf17fcd59cd547b42.dip0.t-ipconnect.de. [2003:eb:8f1e:2acb:f17f:cd59:cd54:7b42]) by smtp.gmail.com with ESMTPSA id a12sm10100615edy.87.2020.10.12.02.15.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Oct 2020 02:15:16 -0700 (PDT)
Content-Type: multipart/signed; boundary=Apple-Mail-B60855C8-B52A-4F7F-B465-5268C6AD998A; protocol="application/pkcs7-signature"; micalg=sha-256
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Mon, 12 Oct 2020 11:15:15 +0200
Message-Id: <81E51F61-E093-4467-BBDB-5FC1CF593598@lodderstedt.net>
References: <CAP-T6TRDeBqT9K=QTUr_xKnkMGAT1gCtr0W2=ejBCk0vhk0sdw@mail.gmail.com>
Cc: Neil Madden <neil.madden@forgerock.com>, Jeff Craig <jeffcraig=40google.com@dmarc.ietf.org>, vittorio.bertocci=40auth0.com@dmarc.ietf.org, OAuth WG <oauth@ietf.org>
In-Reply-To: <CAP-T6TRDeBqT9K=QTUr_xKnkMGAT1gCtr0W2=ejBCk0vhk0sdw@mail.gmail.com>
To: Dave Tonge <dave.tonge@momentumft.co.uk>
X-Mailer: iPad Mail (18A393)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K6iAHWLppBFQMmYR0Nh0U4DoAvg>
Subject: Re: [OAUTH-WG] Implementation questions around refresh token rotation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 09:15:24 -0000


> Am 12.10.2020 um 09:04 schrieb Dave Tonge <dave.tonge@momentumft.co.uk>uk>:
> 
> 
> Hi Neil
> 
>  > refresh token rotation is better thought of as providing protection against insecure token storage on the client
> 
> I agree with your reasoning - and that was more the intent of what I said. We've seen refresh token rotation used for confidential clients that have secure storage (i.e. are run in a data center not on a mobile device) and it has caused problems with zero additional security benefits. 

Those are good examples of why refresh token rotation should not be used if there are better ways available to protect refresh tokens from replay. Client authentication or sender constrained refresh tokens are the better choice.

> 
> Dave
> 
> 
>> On Mon, 12 Oct 2020 at 08:57, Neil Madden <neil.madden@forgerock.com> wrote:
>> I’m not sure I agree with this advice. Singling out private_key_jwt and tls_client_auth suggests that the problem is an attacker being able to eavesdrop on the refresh request itself and then replay it. But if they are able to do that then they can instead just steal the access tokens from the response.
>> 
>> I think refresh token rotation is better thought of as providing protection against insecure token storage on the client (e.g. in browser localStorage). Both public and confidential clients are capable of creating secure connections with TLS, but we assume that confidential clients (regardless of auth mechanism) have access to secure storage - otherwise they shouldn’t be confidential clients in the first place.
>> 
>> I think the same reasoning applies here too - if a client has insecure storage then an attacker could just steal the access tokens instead. But I think the difference is that an attacker is more likely to gain temporary access to local storage (e.g. when the user goes to the bathroom and leaves their device unlocked) than they are to gain temporary access to eavesdrop on a connection. The kind of vulnerabilities that allow eavesdropping tend to be repeatable so the attacker doesn’t need to steal a refresh token to ensure ongoing access, they can just steal the access tokens every time the client refreshes.
>> 
>> That said, there are lots of vulnerabilities that would give an attacker repeatable access to the client’s local storage - e.g. XSS - so refresh token rotation only catches a subset of possible attacks.
>> 
>> — Neil
>> 
>>> On 12 Oct 2020, at 05:43, Dave Tonge <dave.tonge@momentumft.co.uk> wrote:
>>> 
>>> > Our goal is to prevent cases where we lose the ability to Refresh a Token due to transient issues (which have run the gamut from network problems to bad software updates on the AS side).
>>> 
>>> We've seen this issue quite a bit and it's very frustrating. I would suggest that refresh token rotation is not used for confidential clients that authenticate with private_key_jwt or tls_client_auth. 
>>> 
>>>> On Wed, 7 Oct 2020 at 00:57, Jeff Craig <jeffcraig=40google.com@dmarc.ietf.org> wrote:
>>>> My experience is more from the Client side of the equation on this problem, but I do have some thoughts. Our goal is to prevent cases where we lose the ability to Refresh a Token due to transient issues (which have run the gamut from network problems to bad software updates on the AS side). Our use case also does all token handling server-side, so our threat model is not the same as the mobile application you described. There is a clear tradeoff in reducing user friction with additional authorization events, and securing access.
>>>> 
>>>> The recommendation my team typically gives people building Authorization Servers with Refresh Token Rotation is to keep the old refresh token until they see the new one (which means that there are generally two refresh tokens valid at any point in time, an unfortunate trade-off). A more difficult, but potentially plausible implementation would be to hold onto the older Refresh Token until the newly issued Access Token is used (thus implying the refresh was successful on both sides).
>>>> 
>>>> We aren't trying to protect against multiple in-flight refreshes though (we've done a LOT of work to attempt to remove that possibility in a globally consistent manner), we're trying to protect against a network interruption that prevents the first use of R1, so our assumption is that R2.1 was completely lost, and only R2.2 matters moving forward. Meaning: R1 is sent, A/R2.1 is dropped in flight, R1 is sent again, A/R2.2 is returned and stored. Since R1 was seen a second time, we recommend that R2.1 be ignored in future. Next refresh will use R2.2, at which point R1 should never be seen again.
>>>> 
>>>> The biggest issue that I see with a time-based grace period is that for many offline tasks, a single refresh failure may be ignored by the client, and it could be hours before the second refresh attempt using the older refresh token is made (depending on time of day and what these requests are being used for), making the grace period low value in that case.
>>>> 
>>>>> On Tue, Oct 6, 2020 at 5:28 PM <vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>>>>> Hey Aaron,
>>>>> 
>>>>> Auth0 does offer a configurable grace period, during which the “preceding” token can be reused.
>>>>> 
>>>>> I am not 100% sure what we do in the exact scenario you described, and I will double check for you, but here’s my intuition.
>>>>> 
>>>>>  
>>>>> 
>>>>> The operation redeem(RT_n) should result in AT, RT_n+1. The grace period just extends the time in which the operation can occur, but every operation should be idempotent. All repeats of that operation within the grace period should have the same result, which means that every resulting RT is a representative of the RT_n+1 class, hence all valid at the same time. After the grace period elapses, RT_n is invalid, and that’s it.
>>>>> 
>>>>> So, in your example I would consider RT1.1 and RT1.2 as equivalent, as they are both representatives of the RT_n+1 equivalence class.
>>>>> 
>>>>>  
>>>>> 
>>>>> It would be very hard to do otherwise, given that network operations aren’t guaranteed to be concluded in the order they were executed without semaphores, and above all the network failures the grace period is designed to handle can apply to any of the requests, regardless of the order.
>>>>> 
>>>>>  
>>>>> 
>>>>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Aaron Parecki
>>>>> Sent: Tuesday, October 6, 2020 3:06 PM
>>>>> To: OAuth WG <oauth@ietf.org>
>>>>> Subject: [OAUTH-WG] Implementation questions around refresh token rotation
>>>>> 
>>>>>  
>>>>> 
>>>>> Hi all, I have a couple questions for those of you who have implemented refresh token rotation...
>>>>> 
>>>>>  
>>>>> 
>>>>> Have you included the option of a grace period on refresh token use, allowing multiple uses within some time window? I'm wondering because a grace period where a refresh token may be used more than once would work around the problem that has been brought up, of a mobile app accidentally using a refresh token more than once during normal operation because different threads are unable to coordinate between themselves. However that also kind of defeats the purpose since attacks within that grace period would be hard to detect. I'm looking for an idea of where people have landed on that issue in practice.
>>>>> 
>>>>>  
>>>>> 
>>>>> If you have implemented a grace period, then how do you handle expiring the additional refresh tokens that have been granted? For example, if RT "R1" is used twice, resulting in new ATs "A1.1", "A1.2" and new RTs "R1.1" and "R1.2", what happens if "R1.2" is then later used? Would you invalidate "R1.1" at that point? If so, why, and if not, why not?
>>>>> 
>>>>>  
>>>>> 
>>>>> It would be most interesting to hear practical experience from people who have already built refresh token rotation into a system.
>>>>> 
>>>>>  
>>>>> 
>>>>> Thanks!
>>>>> 
>>>>> 
>>>>> 
>>>>> ---
>>>>> 
>>>>> Aaron Parecki
>>>>> 
>>>>> https://aaronparecki.com
>>>>> 
>>>>>  
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> -- 
>>> Dave Tonge
>>> 
>>> 
>>> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. 
>>> 
>>> DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> 
> 
> 
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. 
> 
> DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth