IETF Logo Mail Archive

[OAUTH-WG] OAuth security BCP: Lifetime of authorization codes

Joseph Heenan <joseph@authlete.com> Wed, 21 September 2022 08:38 UTC

Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD222C14CF16 for <oauth@ietfa.amsl.com>; Wed, 21 Sep 2022 01:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkNka5-ouT0M for <oauth@ietfa.amsl.com>; Wed, 21 Sep 2022 01:38:56 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857DDC14F74C for <oauth@ietf.org>; Wed, 21 Sep 2022 01:38:56 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id s14so6644822wro.0 for <oauth@ietf.org>; Wed, 21 Sep 2022 01:38:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=to:date:message-id:subject:mime-version:from:from:to:cc:subject :date; bh=E2fR/PRsS2PRqFOSxSGJR1/i2/4jv9KK6GvUFAU9jkA=; b=Es156T/UBU6k2SJ7TSPnqaNjDSxpgeZ4kdNmF1N0yV30AqqDkzh8jkMVp8w6CNHdqw cBqM2BIEatnVZOhbg5+GsWdM2H+NryRfGBaC3QjNgGZJowFjIbJ2433AetIsnBPOWExH yMFOgUi8iFDiH67QHCEzyR7ktLLEPVs1IdeDpLegZX/dGVzh5E1x2Wc0brPvNhJEKCSv kdO7yoq5n567tzSEzMovJtE67TND6KjXP7x+ZSJnl51iIzeyUO2tyiMq9HnCdcIVl/Au LHO8YDWFr0xHtz3FJE0qR3O1rODIM6fITGRcI9tZbldVe9T1yTsY+ARQWBiErCtAZkq+ i8tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date; bh=E2fR/PRsS2PRqFOSxSGJR1/i2/4jv9KK6GvUFAU9jkA=; b=FsYqRLexjoefKdNj3940pgpSEreyVrqvMIN6r4turmNrgKGOahQsqrDCDB3H8nNnYi 0LzMAj48L3S1qTv+Rr+i2KX513bNIy8gSJ2DDJN+raF8UeLKXvMIbE73lIe5WBmcY8j0 qrv9D4ASTu9siZjHWgo/ZjzsQPp7r2rgl7CCXqeMsZSti9cM7FEIcNrX8sqKUQCmx1/y bgQ0C2Yelsc0VoSAuBgt78Vmbb3GCSCnLOJdlShFfFwHxC7VcjaxUt8BD7yFKRviKLJh I1ssadaQkcnYqL4I/ADNyPcQoIa9dBAQ6rndvSyj90gLj0Du8eWtD5E+R4gDg+RQH4E5 DK2g==
X-Gm-Message-State: ACrzQf0tYLD68pjX3Nlsj+yA7ntndOTmxeXT00YqsAqCAh7hGRvgA6Bw ow8plpGPMh8hWjxLMRR10yJpZD2gX697BQ==
X-Google-Smtp-Source: AMsMyM7PAYJRo+VpxLtDgclHqzLCoaaWWWOK4EmxWlQ5LfcLMx+2YOxcQIjgFGRal0QWu8fo5H806A==
X-Received: by 2002:a5d:5150:0:b0:22a:43a8:145b with SMTP id u16-20020a5d5150000000b0022a43a8145bmr16892240wrt.170.1663749533681; Wed, 21 Sep 2022 01:38:53 -0700 (PDT)
Received: from smtpclient.apple (static-90-250-10-57.vodafonexdsl.co.uk. [90.250.10.57]) by smtp.gmail.com with ESMTPSA id l15-20020a05600c2ccf00b003a1980d55c4sm2058857wmc.47.2022.09.21.01.38.52 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Sep 2022 01:38:52 -0700 (PDT)
From: Joseph Heenan <joseph@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B85989F2-4F30-442F-B314-5422990C0F27"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Message-Id: <588F53CC-2E58-47C6-A777-3BBB91412BFF@authlete.com>
Date: Wed, 21 Sep 2022 09:38:51 +0100
To: oauth <oauth@ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L7GX7kwlrKauoOyRqtnYrwC0LuY>
Subject: [OAUTH-WG] OAuth security BCP: Lifetime of authorization codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2022 08:38:58 -0000

Hi all

I couldn't find any text in the current BCP document about the lifetime of authorization codes, do people think that this may be worth mentioning?

The only guidance I could find on authorization code lifetimes is RFC 6749, 4.1.2:

"A maximum authorization code lifetime of 10 minutes is RECOMMENDED.”

Feedback from some vendors (on the FAPI WG) seemed to be that they default to shorter lifetimes these days.

Shorter lifetimes seem like they can prevent various attacks, particularly if the AS isn't enforcing single-use of authorization code.


(I raised this at https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50 <https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50> too, but forgot to email this list at the time)

Thanks

Joseph

v2.23.0 | Report a Bug | By Email