[OAUTH-WG] DPoP and refresh tokens
Dick Hardt <dick.hardt@gmail.com> Wed, 28 October 2020 20:46 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4F23A09BD for <oauth@ietfa.amsl.com>; Wed, 28 Oct 2020 13:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.994
X-Spam-Level:
X-Spam-Status: No, score=-0.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qmj6MfXSp7kw for <oauth@ietfa.amsl.com>; Wed, 28 Oct 2020 13:46:25 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A4D3A09B5 for <oauth@ietf.org>; Wed, 28 Oct 2020 13:46:24 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id m20so697254ljj.5 for <oauth@ietf.org>; Wed, 28 Oct 2020 13:46:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=XYxNDxsJr8Dme1ahrEHK0/xugC3t5rSNjk0WPmpqVK4=; b=fOLz1v7yST+hSXXMx4+oj9L4Z+7Al+2LwuzjkvY5nt8zku66HTpNzv+3qZAsdxnYOk sJ8CcN+EZ2nailKfXWrKOD+Ue2uHO+Jd2FwFGcec5St/I5n3rQBHbn8FtyRbhDu3s9So BU+brtV7cQ30aYP8mCXChfuHS0y0xNrPpm+oJuSlieDUfRP6YEZnxyNXQ4gpJE0fMB68 3LRF1RHSS6RnlgYFsZjwWOiEw28fSTSgKIlTxKxXqkpsbP9mahqxV86NasD5P1AK2YF8 xV2rJbmQSrvBzs8uk6A0ZxjLqBkOP769jOpe8wiVkNwPjmdkkmmP42SDPHDsDG3qeiLX xLQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=XYxNDxsJr8Dme1ahrEHK0/xugC3t5rSNjk0WPmpqVK4=; b=nsW+32Q9blIfoHJwgDlm8OiO3KZtOlttBi5svtgkcU76wfFMGEOg1XmJfRfYB1O/oa UCnKXckQp2pTdZ4/Aba7NTDyFYkLBG+54swmhAE7Gb5nicI0auD1IN/EllV8fhg9dTex ix9cFzeRHjo5huFonJ+qzaTF+NAXRqKiOCGOxsj5GRvHoo1aefnZ1VEy3ZgZ06HRF9EX ljKOpweGfFIuFnLAKzgRg2I/IUTRH0lPIopF6p52ediHDX1Td4sREao32E4q4hogbTe8 5657ag56em4FQmZVREI+lzDexgsQUNXp3G1w2dYgRVgRVi4X3bmkoWpDsVIEv1gsa0Qt eDWw==
X-Gm-Message-State: AOAM5327u0ZJOnIMHvPLzp/CzDUTCAKl1zvKW8P1SHshE1IQoJI2vHfq ICSpPAd5d/fRnE9qazxdkzIpoROtgfgqdPUWrfpq/A9RTff51w==
X-Google-Smtp-Source: ABdhPJwRMQypBws6XHwVI9XOVJNxTlB59sHtm5mS/QX3iLqZopEQ/g4h7Sq1S+jOhCrI+nl7Zl6su83KF7fBvUPKT2Q=
X-Received: by 2002:a2e:9a17:: with SMTP id o23mr462106lji.242.1603917982533; Wed, 28 Oct 2020 13:46:22 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 28 Oct 2020 13:45:45 -0700
Message-ID: <CAD9ie-ttterDkFqcW_rbV6gwwU=puL3YJ5c9uLY4Lj3KvEWG-Q@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000990bc105b2c14155"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W-BSd7g2zjq22k2-hzpOv8A-9x0>
Subject: [OAUTH-WG] DPoP and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 20:46:27 -0000
Hello I was reviewing the latest DPoP draft[1] and saw numerous mentions of using a DPoP proof for refreshing an access token, but no explicit description of how to do that, nor an example. Was this intentional? Perhaps a new section "Refreshing an Access Token"? Additionally, I can imagine that an AS can improve its security posture by adding support for DPoP *just* to token refresh and not requiring existing resource servers to upgrade. Rotating refresh tokens would not be as critical for public clients using DPoP for token refresh. Would using DPoP only for token refresh be appropriate? If so, language describing that would be helpful. :) /Dick [1] https://tools.ietf.org/html/draft-fett-oauth-dpop-04 ᐧ
- Re: [OAUTH-WG] DPoP and refresh tokens Dick Hardt
- Re: [OAUTH-WG] DPoP and refresh tokens Brian Campbell
- Re: [OAUTH-WG] DPoP and refresh tokens Brian Campbell
- [OAUTH-WG] DPoP and refresh tokens Dick Hardt