IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2 Implementation questions (client secret and refresh tokens)

William Mills <wmills@yahoo-inc.com> Wed, 07 September 2011 22:25 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB4821F8E23 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 15:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.385
X-Spam-Level:
X-Spam-Status: No, score=-17.385 tagged_above=-999 required=5 tests=[AWL=0.213, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zJK2MlQbI-s for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 15:25:50 -0700 (PDT)
Received: from web31816.mail.mud.yahoo.com (web31816.mail.mud.yahoo.com [68.142.206.169]) by ietfa.amsl.com (Postfix) with SMTP id B5CCC21F8E17 for <oauth@ietf.org>; Wed, 7 Sep 2011 15:25:50 -0700 (PDT)
Received: (qmail 78697 invoked by uid 60001); 7 Sep 2011 22:27:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1315434455; bh=BAFpB/BAydmMadzzQmHqjpyStxGCF2AoEjNM9I8ufgs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=CO84wbFoSR+nBxmZ9x/MKiy5utQGUZ2CUnY15zT24eEjZM4G0E+T082Cw8AkZKHxrF9l1uHmkaPGf8geBw0q614AfmhZ4T4EbzsWlWZ7oZAxW13NiKLncO3mf0C0zUICYbYawHHRcurbjqXG6SY97y5USSQr0qQUBMKBoOwNy3Q=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Aa45ZHVP45Xt5JDye2R0sdDHgg5G9Mxy7CGA0RQcRTudzdreT8Tbncyrkg3n1r8CoMdkoYuupANbhMV4OMm2v1sCPx++Ua6K9jOrctYQZjjve3WL9fJJDg89d4zJbbZTy3jHIK6qQ9iGPh0gP4NVQXvvl+3PyCLtkPQYbkwlrB8=;
X-YMail-OSG: IMnOSAIVM1mFB81aECrWmGf8nx.OodUs.0oMP3ujGYo9UdO XHGC5q5SiIMg7NTF30gCLXsrDLakZGD1w72GlgvhMCTVQkAJ93xe78tT6qaG kXbUONxKrlTUpA8tAxD2K5mfaQNd9j_0Kkfs4iyXjJj8pg2RdwHzC3kGwh8d F.52qsObracXbMJgFK2GMomLd5UzyOho5GqfoE4uw695ecloZaAkdL0lO9iO 1YJnjkENnpDJP4BA.nRqL251lPRi_fm8yXjH5oXk9UrZAXd69pWzv2MFLpcy guKvewW1lt88zkMbBh0etW3BCV.MJsrWiuGSWOr1esxp2bBBloyZh_qMXu6j faggWVU.oSLPAEv.HcJiYdSHaHjAez9BlLrA2CeSY3_hm1STP0LJ9IaiuoLJ f_nfJzl2of4AGDolL_IELW7tPgv5pVnW9RuRBTfWMSEbxRqXwutLdcy2VNUk KkPty8WxVIF2hWirdZfKIKyJ8g8yR4f5tB5elNKC_Q6As1PTcWXXAsTUxLtH fidM-
Received: from [209.131.62.115] by web31816.mail.mud.yahoo.com via HTTP; Wed, 07 Sep 2011 15:27:34 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.313619
References: <CAGyXixwZhMMTzWPrMeWQZEz0v_9WYGwPVByGfPAxGnAthf=3Ng@mail.gmail.com> <CAGyXixzH6uwf72ons1UE2-yKfx=TK-bSBSpN5TzmcJNPVcbxKg@mail.gmail.com>
Message-ID: <1315434454.76681.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Wed, 07 Sep 2011 15:27:34 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Dave Rochwerger <daver@quizlet.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CAGyXixzH6uwf72ons1UE2-yKfx=TK-bSBSpN5TzmcJNPVcbxKg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1244837766-1315434454=:76681"
Cc: Quizlet Dev Team <devteam@quizlet.com>
Subject: Re: [OAUTH-WG] OAuth2 Implementation questions (client secret and refresh tokens)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 22:25:52 -0000

I'll talk to the refresh token question:  they give you a hook for extensibility and key rotation.  If you want to rotate your encryption keys or extend the data carried in the token in any way then you want to be able to cleanly refresh your tokens.  Note that the refresh flow allows you to issue a new refresh token at the same time.  It also allows a clean path to convert tokens in a new client if you decide you want SAML tokens instead of MAC for example.

If you want those things you want to use refresh tokens.  You can have long lived access tokens too, and just use the refresh tokens when you want to do something new with the access tokens.


-bill



________________________________
From: Dave Rochwerger <daver@quizlet.com>
To: oauth@ietf.org
Cc: Quizlet Dev Team <devteam@quizlet.com>
Sent: Wednesday, September 7, 2011 2:15 PM
Subject: [OAUTH-WG] OAuth2 Implementation questions (client secret and refresh tokens)


Hi all,

I have been implementing OAuth2 based on the various drafts for our new API. Initially, I implemented everything as per the spec, but due to our particular scenario and restrictions we have in place, there are some fundamental questions that I am unable to defend.

I am hoping this group could help answer them for me.

Our scenario:
==========
* We are implementing an API to allow 3rd party developers to access users' protected resources via their applications. The applications will mostly be native phone apps, but some will have web server backends (javascript-only applications are not a concern at the moment).
* We want to provide very long-lived (forever) tokens.
* We are implementing the "authorization code" flow as that seems best suited to us (we don't want the implicit flow because end-users would have to re-authorize every hour).

Our architecture:
============
* We control both the API server and the authorization server.
* All requests to protected resources (ie: to the API server) are always done over SSL.
* All requests to the authz server (token and authorize endpoints) are always done over SSL.
* We enforce that every client must supply the state parameter (and our guidelines say they must verify the state for CSRF mitigation).
* We enforce that every client must register a redirect URI.
* We validate the redirect_uri used to request an access token is the same that was used to obtain the auth code.
* The only time a request is not made over SSL is the redirect with the auth_code which is very short-lived (30 seconds) and is tied to a verified redirect URI.
* We enforce that access tokens must be provided using the Authorization header only (and of course, over SSL).
* We have guidelines saying that all mobile apps must use the native browser (and not an embedded web UI).

Questions:
========
1. Given the above scenario, what use are refresh tokens?
  - Access tokens can not leak because every request (to resource and authz server) containing an access token is done over SSL. We control both the authz and resource servers, so tokens in logs (and other suggested reasons in the archives) are not an issue.
  - Long-lived refresh tokens and short-lived access tokens are supposed to provide security due to possible access token leakage... but in our 100% SSL scenario, if access tokens are able to leak, then so would the client id, secret and refresh token.
  - Having a long-lived refresh token that can be exchanged for another access token adds a level of complexity (a second HTTPS request every so often) and seems to provide no benefit for our case.


2. What is the point of the client secret (in our scenario)? - We originally were treating the clients as confidential, but after re-reading the native-application section, it seems we really should treat them as public (phone apps can be decompiled and the secret discovered).
- The spec says that the authz server should authenticate confidential clients, but public clients are allowed to just send their public client id (and no secret).
- The only verification then, is to enforce redirect URI registration and to validate the redirect URI between authorization and token steps.
So, the question is, assuming that we, one: "enforce redirect-URI registration" and two: "validate that URI" - why can't we treat all clients as public and not worry about a secret?
What is the benefit of having confidential clients (and a secret) at all? 


Our API source is not available, but the oauth2 server implementation can be seen here: https://github.com/quizlet/oauth2-php

Regards,
Dave

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email