IETF Logo Mail Archive

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> Fri, 12 August 2022 03:41 UTC

Return-Path: <jaimandeep.phdcs21@nfsu.ac.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4FB9C13CCCA for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2022 20:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nfsu.ac.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UaWpzeccl51 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2022 20:41:07 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79863C13D06E for <oauth@ietf.org>; Thu, 11 Aug 2022 20:41:07 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id f20so28022625lfc.10 for <oauth@ietf.org>; Thu, 11 Aug 2022 20:41:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfsu.ac.in; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=VHKxCxAErxjZxjyD/LGhOE9hTwLjT+8d1astS0zKOx0=; b=AfSigVJEViq/6FfDpTg49rG6V4FoOz2hRMtUgF+oJjkKs7sFp77940B73VxR9Yaye4 UjoAzktTIDGxYtqDkvIRskFYTTpNA9/WaY2oJ2SEDx4ezlrXrnkvjY2kNgCw/hmc1Uql HFlQRN2KZh4SzpaKnoP/z3AtKcdb7Tb3ITHYc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=VHKxCxAErxjZxjyD/LGhOE9hTwLjT+8d1astS0zKOx0=; b=DBOi/y/li3ucEbBjNx/Hc1CdGVRc+44KGVtF5roXdRyzKpB5SpcNcWORLcaOmYKulr fwa57i1oHNUeG9uRUzn6Ii4Vo27J7jqpEC2h+SEzYsZfgaEmmyv6VFEjBZgT65ZVL4TV EIQN4vsCP9GCzk+V6gaqk90ix/noiXBVBaqXF4SBD8vy4k4igB/JUcrd8tdYyBh4zuQq zwk3vd+USJyDPCF1k5bW84J8FFunjLosusWqtjYe9ECuV+4OjgQ93WF+s12uxslmXkuJ yAqX5VIlDDBsHV8rQJR/vH6j5EFiVfWuVEZOO80IXcHLRFtl6r7I8hN6sluZhZyERRL/ 2E9A==
X-Gm-Message-State: ACgBeo3Q8FdYaWeNaRddFlDcPSrdY8+xp3YTnVi82Gn1pvzI5EJ5jomT h+9CR2kXRLQN8GY36lMc7qnlggVpzOIAXcM9zyE3dw==
X-Google-Smtp-Source: AA6agR4DaVM5pxUzcBu1332PjY4TrmelnYnS57khoIuLLs160jHmomIhqsNiV/i3UVTvHDBoFq+X8SZM+vl+ze1rcog=
X-Received: by 2002:a05:6512:3187:b0:48b:220f:9784 with SMTP id i7-20020a056512318700b0048b220f9784mr717755lfe.72.1660275665428; Thu, 11 Aug 2022 20:41:05 -0700 (PDT)
MIME-Version: 1.0
References: <006c01d8ad93$776364f0$662a2ed0$@association.ge> <007201d8ad94$710026b0$53007410$@association.ge> <CA+k3eCSzUaNiO=NpqT5284+JQK=fDK_uGP_QuD65M_J5oWdWzA@mail.gmail.com> <00c001d8adae$5f33ba90$1d9b2fb0$@association.ge>
In-Reply-To: <00c001d8adae$5f33ba90$1d9b2fb0$@association.ge>
From: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>
Date: Fri, 12 Aug 2022 09:10:52 +0530
Message-ID: <CAODMz5HZESoLP+ZfhgwLOmFWHo13AanrfchTBMubVU55CDSROg@mail.gmail.com>
To: mikheil@association.ge
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004481ba05e6030d75"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LI38539QOuTkqqlPzQhIB6Li6nc>
Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 03:41:11 -0000

Hi Mikheil,
1. Well explained by Brain. I will just add my perspective.

> >From the practical perspective, if the confidential client got a refresh
> token for the offline access and sufficient time (e.g., for a month), this
> would be quite impractical and not very user-friendly to ask a lot of users
> to give consents again when the confidential client wants to upgrade its
> certificate. But seems like software vendors did not interpret the RFC that
> way.
>
For confidential clients, authorization code flow is recommended. It is a
two step process. In the first step you get the authorization code when the
user provides his/her consent. In the second step you use this
authorization code along with client credentials to obtain access tokens
and refresh tokens. If the refresh token expires either due to expiry of
its lifetime or certificate, it only needs to follow step two. So, the
question of asking for consent again does not arise unless the
authorization code itself has limited lifespan.

2.

> While RFC 8705 indeed requires binding refresh token to the certificate in
> case of the public clients in Section 4 and Section 7.1

The RFC 8705 talks about public clients and refresh tokens in the same
breath and seems to have legitimized the use of refresh tokens for public
clients. However, if we look at the original OAuth 2.0 specifications RFC
6749, Section 4.2, talks about implicit grant optimized for public clients.
It does not support issuing refresh tokens by AS in the first place. I
think there is a need to deliberate on this issue in the next update /
errata  for RFC 8705.

Regards and Best Wishes
Jaimandeep Singh


On Thu, Aug 11, 2022 at 11:46 PM <mikheil@association.ge> wrote:

> Hi Brian,
>
> Thanks for the prompt response. We will work with our vendors to get this
> done according to the RFC.
>
> Best Regards,
> Mikheil Kapanadze
>
> From: Brian Campbell <bcampbell@pingidentity.com>
> Sent: ხუთშაბათი, 11 აგვისტო, 2022 21:04
> To: mikheil@association.ge
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate
> expiration handling in case of the confidential clients
>
> Hi Mikheil,
>
> Your assumption is the correct reading of the RFC. Or the intent of the
> RFC anyway. For confidential clients, refresh tokens are bound to the
> client id (not the certificate thumbprint or anything else for that matter).
>
> RFCs can't be changed after publication so adding more clarification isn't
> really possible.
>
>
>
> On Thu, Aug 11, 2022 at 9:11 AM <mailto:mikheil@association.ge> wrote:
> Hi,
>
> I have noticed is that some OAuth2 AS implementations use certificate
> thumbprints to bind not only access tokens but also refresh tokens to
> client
> certificates. This happens for both public and confidential clients. As a
> result, when the certificate is replaced (e.g., it is about to expire
> soon),
> both access and refresh tokens are drawn unusable.
>
> While RFC 8705 indeed requires binding refresh token to the certificate in
> case of the public clients in Section 4 and Section 7.1, the wording is not
> that explicit for the confidential clients. More specifically, Section 7.1
> of the RFC 8705 is worded in a way which does not explicitly deny keeping
> refresh tokens alive after certificate change: it talks about binding to
> client ID, thus binding "indirectly" to the certificate. Also, Section 6.3
> requires access tokens to be invalidated after certificate change and
> mentions refresh tokens as typical tools for renewing them.
>
> >From the practical perspective, if the confidential client got a refresh
> token for the offline access and sufficient time (e.g., for a month), this
> would be quite impractical and not very user-friendly to ask a lot of users
> to give consents again when the confidential client wants to upgrade its
> certificate. But seems like software vendors did not interpret the RFC that
> way.
>
> So, the questions:
> 1) Is my assumption correct and it will not be a violation of the RFC if
> refresh tokens issued to the confidential clients survive certificate
> change
> (e.g., by binding them to Client ID, not the certificate thumbprint)?
> 2) If the answer on the 1st question is “yes”, would it be better to
> provide
> more clarification in the section 7.1 to avoid misinterpretations in the
> future?
>
> Best Regards,
> Mikheil Kapanadze
>
>
>
> _______________________________________________
> OAuth mailing list
> mailto:OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited.  If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. Thank you.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--
Regards and Best Wishes
Jaimandeep Singh
LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>

v2.23.0 | Report a Bug | By Email