Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods
Aaron Parecki <aaron@parecki.com> Tue, 02 November 2021 21:35 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 609D53A0CCD for <oauth@ietfa.amsl.com>; Tue, 2 Nov 2021 14:35:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewujJjYd5lww for <oauth@ietfa.amsl.com>; Tue, 2 Nov 2021 14:35:11 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5FC3A0CC7 for <oauth@ietf.org>; Tue, 2 Nov 2021 14:35:11 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id h2so459473ili.11 for <oauth@ietf.org>; Tue, 02 Nov 2021 14:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ugOP7NIXBhtzITFhp+zZWQQQbzyd7mO56yca5uT9qJQ=; b=WkxWnDxslFj74mrmZMVFpdr7FKcqHPYllnYpeFQEEviii4iw/TYl92QdQbIg7VUR/G XjHtgoNkHwHB1OhtALUcITJnJlSfA/YAC7X6YdHecIDmRMr74azMNaqe3PFtI8M/WB01 L2fvBX3F4ZztHkbiT0Yh2sLjpPqwuOXXQGOULa6l+dORaPVX+Y0CjUzu5nhzVFDIXNKf 5z90iyd1+pnTWLWNDRQWetjypl7KGfXScWXeFird6qkWoZSRuj6zftXq7szBkNdlQXJv Bb2pR+f5n3arjYTO4lXRKxaf7IyVG061oOgrxdLSNWoYomsKkYWM1Rzew+xz0KgMzWAm g2YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ugOP7NIXBhtzITFhp+zZWQQQbzyd7mO56yca5uT9qJQ=; b=1PghpnHaTv7GQenEoVdtDPqGpcNrnXI+k0ZEsQwBzTpbGFEKC2jCJdbobUGLFs69qU yxvWJfYReI2lN0tRJO6a8dobkI8jEMvvu/XxnTxfASSxSOovUukPXlGUtkIybdEQ48m7 eM9LfFmGWuDbp7immAipFbiu8pwX13sB9tDHP2z6gxanZR0JkMwdN+8yeqHCUauyufSa vhLtEuojPIgUZLJI53a2KP4MtQC8lGpXfYiGQi+O97NBax5eqrOOhKy2h+B7mwDjFsFD SS/AVCfNRUp+ymSKGJslmCXiI/AqEEgmOZeQiTgNwOXgamW6ESWtvV1b2RQPIKjNT5oS MwKA==
X-Gm-Message-State: AOAM532hjELGodat5ECVtrkLZIDV1k5QkQYCa4F0sFlWqJ4lKk3yPB5e 06j4GRUefvwSbjj9XrBjkhLd98P0wsbRKw==
X-Google-Smtp-Source: ABdhPJzSdyH/kW7s61OoqYAliUbS+KUuZUSP7duW5/XfWpswBFcwDYfUMw/Pz9NQ+HduPk+hSmUGmg==
X-Received: by 2002:a92:b00c:: with SMTP id x12mr25992417ilh.37.1635888910245; Tue, 02 Nov 2021 14:35:10 -0700 (PDT)
Received: from mail-io1-f51.google.com (mail-io1-f51.google.com. [209.85.166.51]) by smtp.gmail.com with ESMTPSA id n4sm150342ili.10.2021.11.02.14.35.09 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Nov 2021 14:35:09 -0700 (PDT)
Received: by mail-io1-f51.google.com with SMTP id e144so405704iof.3 for <oauth@ietf.org>; Tue, 02 Nov 2021 14:35:09 -0700 (PDT)
X-Received: by 2002:a05:6638:2385:: with SMTP id q5mr29816151jat.17.1635888909460; Tue, 02 Nov 2021 14:35:09 -0700 (PDT)
MIME-Version: 1.0
References: <76A1A85D-2DDC-4544-92B0-1723D3303408@forgerock.com> <AM7PR83MB0452C77D32B98A7409681699918B9@AM7PR83MB0452.EURPRD83.prod.outlook.com>
In-Reply-To: <AM7PR83MB0452C77D32B98A7409681699918B9@AM7PR83MB0452.EURPRD83.prod.outlook.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 02 Nov 2021 14:34:58 -0700
X-Gmail-Original-Message-ID: <CAGBSGjp1OKffzyzXeP=90DhHuPqq2-88TerzcBzySUWrL042Kw@mail.gmail.com>
Message-ID: <CAGBSGjp1OKffzyzXeP=90DhHuPqq2-88TerzcBzySUWrL042Kw@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000572c2d05cfd51163"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/S7EcjSChU0x7qklzRWLEtnuW7D4>
Subject: Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2021 21:35:16 -0000
The grace period is not about the refresh token lifetime, it's specifically about whether what would be a single-use refresh token can be used more than one time within a short window of the first use. Okta supports a configurable grace period per application that the customer can set, anywhere from 0 to 60 seconds. Personally I also agree with Neil that a grace period is not a good idea from the security aspect, but I do also see that we have a lot of customers who ask for this feature due to things like flaky mobile networks. I like the suggested text from Neil. I assume this would go into the Security BCP as well as OAuth 2.1? Aaron On Tue, Nov 2, 2021 at 7:09 AM Pieter Kasselman <pieter.kasselman= 40microsoft.com@dmarc.ietf.org> wrote: > Neil > > > > Is the goal to accommodate network latency or clock drift? It would be > helpful to include reasons for why a grace period should be considered if > it is allowed. > > > > Without knowing the reasons for the grace period it is not clear why a > grace period is a better solution than just extending the expiry time by a > set time (60 seconds in your example) and having the client present the > token a little earlier. > > > > If grace periods are allowed, it may be worth considering adding > additional mitigations against replay. For example, a grace period may be > allowed if the refresh token is sender constrained with DPoP so there is at > least some assurances that the request is originating from the sender > (especially if the nonce option is used with DPoP). > > > > I would worry about adding more complexity and less predictability by > adding grace periods though (e.g. by looking at a refresh token, will you > be able to tell if it can still be used or not), but your point that > implementors may solve for it in other less predictable ways raises a valid > point. > > > > Cheers > > > > Pieter > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Neil Madden > *Sent:* Tuesday 2 November 2021 10:29 > *To:* oauth <oauth@ietf.org> > *Subject:* [EXTERNAL] [OAUTH-WG] Rotating RTs and grace periods > > > > Hi all, > > > > There was a previous discussion on whether to allow a grace period during > refresh token rotation, allowing the client to retry a refresh if the > response fails to be received due to some transient network issue/timeout > [1]. Vittorio mentioned that Auth0 already implement such a grace period. > We (ForgeRock) currently do not, but we do periodically receive requests to > support this. The current security BCP draft is silent on whether > implementing such a grace period is a good idea, but I think we should add > some guidance here one way or another. > > > > My own opinion is that a grace period is not a good idea, and if it is to > be supported as an option then it should be kept as short as possible. The > reason (as I mentioned in the previous thread) is that it is quite easy for > an attacker to observe when a legitimate client performs a refresh flow and > so can easily sneak in their own request afterwards within the grace > period. There are several reasons why it is easy for an attacker to observe > this: > > > > - RT rotation is primarily intended for public clients, such as mobile > apps and SPAs. These clients are geographically distributed across the > internet, and so there is a good chance that the attacker is able to > observe the network traffic of at least some of these client instances. > > - The refresh flow is typically the only request that the client makes > directly to the AS after initial authorization, so despite the traffic > being encrypted it is very easy for an observer to determine that the > client is performing a refresh whenever it makes any connection to the AS. > > - As well as observing the request itself, an attacker may be able to > observe the DNS lookup for the AS hostname instead, which is even more > likely to be observable and also in plaintext most of the time. > > - An attacker in a position to steal RTs from e.g. localStorage, is > probably also in a good position to either observe when the legitimate > client refreshes or to actually force it to refresh early (e.g., by > deleting the corresponding AT from the same storage). > > > > I know some people argue that a grace period is a reasonable trade-off > between security and usability. But I think that this kind of attack would > be quite easy to carry out in practice for the reasons I suggest above, so > I think the security actually degrades extremely quickly if you allow a > grace period of any reasonable length. > > > > On the other hand, if we discourage this entirely then people may use > dubious workarounds instead (e.g., one proposal I’ve seen was to use an ID > token with the JWT Bearer grant, effectively turning the ID Token into an > ad-hoc RT with much fewer protections). > > > > As a strawman, what would people think of wording like the following: > > > > --- > > The AS MAY allow the original RT to be replayed for a short grace period > to allow the client to recover if the response is not received due to a > network problem or other transient issue. However, implementors should be > aware that an attacker may be able to easily observe when the legitimate > client makes a refresh request to the AS and so time their use of a stolen > RT to occur within the grace period. Any grace period MUST be kept as short > as possible, and MUST NOT exceed 60 seconds. Clients should prefer > sender-constrained refresh tokens if recovery from network issues is a > priority. > > — > > > > (The 60 seconds limit here is based on Auth0’s grace period). > > > > [1]: > https://mailarchive.ietf.org/arch/msg/oauth/WXwKxQM2poW7bqOOGGp4POYolFk/ > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Foauth%2FWXwKxQM2poW7bqOOGGp4POYolFk%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cbdb0969234774ba6f87608d99deba06c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714457664531224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CDskCHwXxJxGdmudTW33gUT5f3%2B835uZDxyNEmKkiFc%3D&reserved=0> > > > > > Kind regards, > > > > Neil > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Rotating RTs and grace periods Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace … Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace … David Waite
- Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace … Karsten Meyer zu Selhausen