IETF Logo Mail Archive

[OAUTH-WG] Refresh tokens

"Bart Wiegmans" <bart@all4students.nl> Mon, 28 November 2011 15:12 UTC

Return-Path: <bart@all4students.nl>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E99721F8801 for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 07:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.696
X-Spam-Level: **
X-Spam-Status: No, score=2.696 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_38=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXNfVjDf0r3D for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 07:12:51 -0800 (PST)
Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id CC26721F86F6 for <oauth@ietf.org>; Mon, 28 Nov 2011 07:12:49 -0800 (PST)
Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id B2688943A4 for <oauth@ietf.org>; Mon, 28 Nov 2011 16:12:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:from:to; s=selector1; bh=3YD6eaVTxhcTuHX5L0CIp3REP3U =; b=RDW27gcc59QIMK5KHSpPRcrdWSSONlc9NzhGMAmQGtD8bkOSR6Wu8FGDTIk LxnUFpexlnZ8OMjRMQUmQNU4VdxraP0QydiUxJmBRBPYuM0lkK8VNqmpkqOPHRZI T1l/WrTBIa/A8V/EsbHM+ieKfdQn+3pEWVfWnqcW3v54v+Gs=
Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id 730BD943A2 for <oauth@ietf.org>; Mon, 28 Nov 2011 16:12:47 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 28 Nov 2011 16:12:46 +0100
Message-ID: <AEDA1B65E9329448939CEFA895C129E203850B03@studentserver.studentennet.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Refresh tokens
Thread-Index: Acyt2/bOtM27kC+bR6Gqmw6v1flLWw==
From: Bart Wiegmans <bart@all4students.nl>
To: oauth WG <oauth@ietf.org>
Subject: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 15:12:55 -0000

Hello everybody,

This is my first post on this mailing list, so I will introduce myself.
My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am
involved with OAuth2 because I am implementing an authorization server
for my employer, all4students / studenten.net.

I have few remarks about refresh tokens.

1. The way I understand it, they are a way to limit the impact of access
token exposure. Which I find desirable.
2. However, they can also be seen as credentials for an access token
request. In which case, refresh token exposure is a more serious risk
than access token exposure.
3. Are there, or will there ever be, multiple refresh token types as
there are access token types?
4. Can a public client use refresh tokens at all, or is this
meaningless? If not, are public clients that are installed on a users'
computer or smartphone required to re-authorise every time an access
token expires? (This would be undesirable). Should they request
long-lived access tokens? 

About MAC tokens, I wonder about the practicality of public (javascript)
clients using them as a token type. 

With kind regards,
Bart Wiegmans | Developer

v2.23.0 | Report a Bug | By Email