Re: [OAUTH-WG] expires_in
Vittorio Bertocci <Vittorio@auth0.com> Tue, 18 December 2018 10:11 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9B4130E09 for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 02:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YREDNg5FgK5p for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 02:11:23 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29011310F3 for <oauth@ietf.org>; Tue, 18 Dec 2018 02:11:22 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id f23so11775507lfc.13 for <oauth@ietf.org>; Tue, 18 Dec 2018 02:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9LEFjllf1U7JIUq1XRs3Vri4ob5Jf4rgLvhCQ6nLji8=; b=P0rWYF/D5VkRWYnyvUIRGitS1tqu3HemEFThwrK1+Wm7K1CdzYj4uP9PH1fIY0niyy 0AV9nte6C1huuSFUQOyPBNrvvrLhrUPhxYdEXy6xxt2QcoHf8xQV0qCr1U8BMLYs420w jvPD2aSxr2vOOGtMmhv5iOhI3sVjGUWwj9DH+HHcdZroM26t4cKIIiWmqWvA7bXdHV+n mfk0ZTdnm4F2yQKBFbh1hqJYDiO/jTNDvlHho3lhNF7gdgtVVivf474rqhrVxIHG1ueX Z3lrUfXkoMz+1hNjrsqvyqYQxVbFFktmeRNqDD9f7RyHYfYKBIyzDc843s4Wjvsu4SvB qilw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9LEFjllf1U7JIUq1XRs3Vri4ob5Jf4rgLvhCQ6nLji8=; b=mAsdcQVW6vL5NTXU9V+Dxw2EiKRaV4hGIE8afkwvB8nkaVFkx11sbdQHxCxAXfVGVs E1kA/0UClG9M9HZ2Iq2jgwxBqp/RJxO1+ioADv6VeQr4DBGuIGULphGIRq6u6wQdk9Fk zXbDn/XUaS+BvFqITpqRWBflQd6sznbeffKRfhZpsBGWiY4GKdW7R1L95LmZZmP3ipXg EW1It+l9KcuBTyC06bdWKGITcBVRKxXpDb33PCk0is1UgHk0CbCND77tg7ltoDnh4QbM ZhIrPLd+ki1Km8/htOzpx1EHO//Sex8FI0LmCmom/yAI1AMwvPvQMvNGhsks2HTh21dB ohzQ==
X-Gm-Message-State: AA+aEWb41ZQvJ85JALp2iE2s6iGfc6g+yWne4rghBH+n/ygLWkLXJsh3 pGSqNu8IZg2cbTGqTqK3K559whVE0nxZNILJg6ME1Q==
X-Google-Smtp-Source: AFSGD/VKhsy9QFwrWOHZNx9nbICV99TVCWBE/r0Pm0sWx17+hllD+gBDe+Lg1jBI6kJctHkLgdyKSgpUBz3ZHqQkk8Y=
X-Received: by 2002:a19:1bd2:: with SMTP id b201mr9078986lfb.136.1545127880395; Tue, 18 Dec 2018 02:11:20 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB2112D57E9871898418E0BF9EFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <554D5147-3785-40DC-9C5A-188A72FC2354@forgerock.com>
In-Reply-To: <554D5147-3785-40DC-9C5A-188A72FC2354@forgerock.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Tue, 18 Dec 2018 02:11:09 -0800
Message-ID: <CAO_FVe4zQf2Aw1Dv72Kh2ob9UQ7KJGDkS1oywRWv2jYg-hW3iw@mail.gmail.com>
To: neil.madden@forgerock.com
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071a647057d491e19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aM6uRjzkHxXdAuPWIJ8eFOlzR5s>
Subject: Re: [OAUTH-WG] expires_in
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 10:11:25 -0000
It does sound like a best practice and nearly all the providers I've ever worked with do have an expiration for ATs, however there are counterexamples (most notably, dropbox <https://www.dropbox.com/developers/support#token-expiration>) and they seem to be doing fine so far. Do we know anyone on Dropbox that can comment on their use case and whether they'd see value in changing their current behavior? On Tue, Dec 18, 2018 at 1:42 AM Neil Madden <neil.madden@forgerock.com> wrote: > This is probably a best practice, but we should be careful to not oversell > the benefits. Unless you measure token lifetime in a small number of > seconds, then it’s doubtful that any realistic attack will be stopped by > this. It’s mostly useful at defending against opportunistic attacks - e.g. > a token accidentally gets logged, but the logs aren’t examined very often. > Sender-constrained/PoP tokens, avoiding passing tokens in URL parameters, > and so on are better defences against this kind of thing. > > There are two deployment scenarios when short-lived access token are > essential though: > > 1. If you are employing the “self-contained RS” model (no introspection > calls to the AS) and are using short-lived access tokens with a refresh > token to force the client to check in with the AS periodically to allow > token revocation. [1] > > 2. If you are using a blacklisting strategy to token revocation, in which > case having a short token lifetime limits the amount of time you need to > blacklist tokens for. > > On the other hand, is there ever a valid reason for having an access token > be valid for 10 years or so? > > [1] https://www.ietf.org/mail-archive/web/oauth/current/msg06687.html > > — Neil > > > On 18 Dec 2018, at 08:55, Hannes Tschofenig <Hannes.Tschofenig@arm.com> > wrote: > > > > Hi all, > > > > In a recent email conversation on the IETF ACE mailing list Ludwig Seitz > suggested that the expires_in claim in an access token should actually be > mandatory. > > Intuitively it feels like access tokens shouldn't have an unrestricted > lifetime. I am curious whether recommendations would be useful here. > > > > RFC 6819 talks about the expires_in claim and says: > > > > 3.1.2. Limited Access Token Lifetime > > > > The protocol parameter "expires_in" allows an authorization server > > (based on its policies or on behalf of the end user) to limit the > > lifetime of an access token and to pass this information to the > > client. This mechanism can be used to issue short-lived tokens to > > OAuth clients that the authorization server deems less secure, or > > where sending tokens over non-secure channels. > > > > draft-ietf-oauth-security-topics-10 only talks about refresh token > expiry. > > > > In OpenID Connect the expires_in claim is also optional. > > > > Ciao > > Hannes > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] expires_in Hannes Tschofenig
- Re: [OAUTH-WG] expires_in Neil Madden
- Re: [OAUTH-WG] expires_in Vittorio Bertocci
- Re: [OAUTH-WG] expires_in David Waite
- Re: [OAUTH-WG] expires_in Ludwig Seitz
- Re: [OAUTH-WG] expires_in Chuck Mortimore