Re: [OAUTH-WG] Refresh tokens security enhancement
Allen Tom <atom@yahoo-inc.com> Mon, 03 May 2010 16:56 UTC
Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B73A43A6A1F for <oauth@core3.amsl.com>; Mon, 3 May 2010 09:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.982
X-Spam-Level:
X-Spam-Status: No, score=-14.982 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_50=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKP8WdKenyYQ for <oauth@core3.amsl.com>; Mon, 3 May 2010 09:56:42 -0700 (PDT)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) by core3.amsl.com (Postfix) with ESMTP id F151C3A695C for <oauth@ietf.org>; Mon, 3 May 2010 09:56:41 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id o43GtoJG058125; Mon, 3 May 2010 09:55:50 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=1Jf5bqESAA6sS9bU0YdCp1Hgn7kdwvSXSvkADziHyvBhwOAEOoX3QEqAag4UHMe4
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 3 May 2010 09:55:50 -0700
Received: from 10.72.76.149 ([10.72.76.149]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.60]) with Microsoft Exchange Server HTTP-DAV ; Mon, 3 May 2010 16:55:50 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Mon, 03 May 2010 09:55:48 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Message-ID: <C8044E24.2DAD6%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] Refresh tokens security enhancement
Thread-Index: Acrq4XqqY1ZPjObFVEKT0/pP5SXSiA==
In-Reply-To: <4BDDBAF8.8060807@lodderstedt.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 03 May 2010 16:55:50.0215 (UTC) FILETIME=[7BFC3D70:01CAEAE1]
Subject: Re: [OAUTH-WG] Refresh tokens security enhancement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2010 16:56:42 -0000
Hi Torsten, Thanks for posting this idea - I think that issuing a new Refresh Token (and invalidating the old one) on every refresh request would help detect token theft. HOWEVER - in practice, this mechanism could make implementations very tricky. For example, some applications are highly distributed, with each instance (or component) having its own copy of the Refresh Token. Keeping the Refresh Token in sync would not really be feasible for these types of apps. Invalidating the Refresh Token (and presumably also invalidating any outstanding Access Tokens) would make sense as an option for applications that require a high level of security. However, I do not think that invalidating the Refresh Token on every Refresh request should be required in the spec - it should be an implementation specific detail. At Yahoo, we've used the Refresh Flow for all of our proprietary authorization APIs for many years, and I know of several applications which would break if the Refresh Token (and Access Token) were invalidated on every refresh request. Off the top of my head, I know of server based apps, mobile apps, and desktop apps which are composed of several components which asynchronously and independently keep their own copies of the user's credentials. Thanks Allen On 5/2/10 10:48 AM, "Torsten Lodderstedt" <torsten@lodderstedt.net> wrote: > We came up with the following idea: > > The authorization server automatically creates a new refresh token with > every "refresh" request (section 4) and invalidated the previous refresh > token. The client must use this new token for the next "refresh" > request. All attempts to obtain access tokens with an invalidated > refresh token are refused. Additionally, the authorization server should > hold a history of when the refresh token has been used. The client > application behavior depends on who uses the refresh token first after > it has been stolen.
- Re: [OAUTH-WG] Refresh tokens security enhancement Marius Scurtescu
- [OAUTH-WG] Refresh tokens security enhancement Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh tokens security enhancement Allen Tom
- Re: [OAUTH-WG] Refresh tokens security enhancement Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh tokens security enhancement Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh tokens security enhancement Eran Hammer-Lahav
- Re: [OAUTH-WG] Refresh tokens security enhancement Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh tokens security enhancement Eran Hammer-Lahav