Re: [OAUTH-WG] Refresh tokens security enhancement

Allen Tom <> Mon, 03 May 2010 16:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B73A43A6A1F for <>; Mon, 3 May 2010 09:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.982
X-Spam-Status: No, score=-14.982 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_50=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qKP8WdKenyYQ for <>; Mon, 3 May 2010 09:56:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F151C3A695C for <>; Mon, 3 May 2010 09:56:41 -0700 (PDT)
Received: from ( []) by (8.13.6/8.13.6/y.out) with ESMTP id o43GtoJG058125; Mon, 3 May 2010 09:55:50 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent;; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=1Jf5bqESAA6sS9bU0YdCp1Hgn7kdwvSXSvkADziHyvBhwOAEOoX3QEqAag4UHMe4
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Mon, 3 May 2010 09:55:50 -0700
Received: from ([]) by ([]) via Exchange Front-End Server ([]) with Microsoft Exchange Server HTTP-DAV ; Mon, 3 May 2010 16:55:50 +0000
User-Agent: Microsoft-Entourage/
Date: Mon, 03 May 2010 09:55:48 -0700
From: Allen Tom <>
To: Torsten Lodderstedt <>, "OAuth WG (" <>
Message-ID: <>
Thread-Topic: [OAUTH-WG] Refresh tokens security enhancement
Thread-Index: Acrq4XqqY1ZPjObFVEKT0/pP5SXSiA==
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 03 May 2010 16:55:50.0215 (UTC) FILETIME=[7BFC3D70:01CAEAE1]
Subject: Re: [OAUTH-WG] Refresh tokens security enhancement
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 May 2010 16:56:42 -0000

Hi Torsten,

Thanks for posting this idea - I think that issuing a new Refresh Token (and
invalidating the old one) on every refresh request would help detect token

HOWEVER - in practice, this mechanism could make implementations very
tricky. For example, some  applications are highly distributed, with each
instance (or component) having its own copy of the Refresh Token. Keeping
the Refresh Token in sync would not really be feasible for these types of

Invalidating the Refresh Token (and presumably also invalidating any
outstanding Access Tokens) would make sense as an option for applications
that require a high level of security. However, I do not think that
invalidating the Refresh Token on every Refresh request should be required
in the spec - it should be an implementation specific detail.

At Yahoo, we've used the Refresh Flow for all of our proprietary
authorization APIs for many years, and I know of several applications which
would break if the Refresh Token (and Access Token) were invalidated on
every refresh request. Off the top of my head, I know of server based apps,
mobile apps, and desktop apps which are composed of several components which
asynchronously and independently keep their own copies of the user's


On 5/2/10 10:48 AM, "Torsten Lodderstedt" <> wrote:

> We came up with the following idea:
> The authorization server automatically creates a new refresh token with
> every "refresh" request (section 4) and invalidated the previous refresh
> token. The client must use this new token for the next "refresh"
> request. All attempts to obtain access tokens with an invalidated
> refresh token are refused. Additionally, the authorization server should
> hold a history of when the refresh token has been used. The client
> application behavior depends on who uses the refresh token first after
> it has been stolen.