Re: [OAUTH-WG] Lifetime of refresh token
Bill Mills <wmills_92105@yahoo.com> Mon, 24 August 2015 17:01 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508D01ACDE9 for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 10:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.209
X-Spam-Level:
X-Spam-Status: No, score=-2.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZGau6bSm6Aj for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 10:01:11 -0700 (PDT)
Received: from nm50-vm2.bullet.mail.bf1.yahoo.com (nm50-vm2.bullet.mail.bf1.yahoo.com [216.109.115.221]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F4181ACDE7 for <oauth@ietf.org>; Mon, 24 Aug 2015 10:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440435670; bh=viUib24pIO8t49hAuqY++FQYQumLl3YLOa6/tiO9TtQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=j1SfUpZPsOFv1oLA7djZTI+wwjiENcTqvIGcQ5wVicLJ6zaKy0CNjpT+nZYvDUhBbtLGy57Ps5RAsDA+PvNqpcXgnBf2mIAtbIFqKYc3Z+oyaVBSViIQkvuMBMZYITS8j9RyWRtWhyujPS0OwruKtO7SQkTZZmbiBO7u38pTkHy2m0gjsRD2GqPGq6FQFnTNwFowL2WlxavZsTn985ssoeRQBgIPNSTMlEGFzhoPzU8nNUblwTFhv2DFjld+a18oV4JXYLVyjZo16tweCWeiPN5BEy6kbAROeS6hxGLwp22oOWAS2TarYRChNhSanfAD8klIbNS+oc9nCEosed6QXg==
Received: from [98.139.215.141] by nm50.bullet.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000
Received: from [98.139.212.208] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000
Received: from [127.0.0.1] by omp1017.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 785525.66541.bm@omp1017.mail.bf1.yahoo.com
X-YMail-OSG: hFAsttEVM1kGaf2unr7od.GrSmSyrOzJO3RLFCUDk9_DSt9UNvhok4NK.ADCf95 9bfkuK3H3NymFCuoXWybrISXjsJPSVh4F8IXv1mOBEpqAMoaw6C9LnPTAxlIx7eqcbsvBw55kqmt w_9_U6nYh5kYPFZur.Nu1Caz91C0SPMwEXyH8NAdsYJnNyv3w35EM58qOWXFhFxbFoVaH84GReak d91y_lTUb4UJ_MPsOCzPT15kdpaHO4zJWx12WHjfjDUmKrjg.mKJM0RITLwRJqRILOVr_UQYmvKT KK_hDniVAqXPmlY1V5ua4CYIKoG9t9AtwV36q60_pR9StwuUlZHBFNDD4Sbb2zP9KAq_vJVAeeNk FwsSi2LhOgoQurPrGaf8xRZtfejtUwF89gFmwqfNt4SGDs9Z1xOSbwjwUygdl.a3kAYd2VQrhgTZ xRNk9SJMcXtLssFKKxSEtsFTA1VtHOSApY_N5ijQvrSAWyggwxKuzM5UNTWWOpZftxzf81NEVqtv UnqkOYruKwJkDfA--
Received: by 66.196.80.121; Mon, 24 Aug 2015 17:01:10 +0000
Date: Mon, 24 Aug 2015 17:01:10 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
Message-ID: <1261043119.9433875.1440435670047.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com>
References: <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_9433873_165754956.1440435670041"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/b4RigTrS_KAli5k1nF4khNvTGmU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 17:01:14 -0000
You could have a refresh token that never expires. Having to use the refresh token to get a new access token gives you a single control point to allow checking whether that refresh token should still be valid. Means the RS doesn't have to do that stuff.
On Monday, August 24, 2015 8:09 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context.
The refresh token dosen’t expire, it is revoked by the user or system. In some cases refresh tokens are automatically revoked if the users session to the AS ends. I think AOL typically revokes refresh tokens when sessions terminate.
OpenID Connect provides a separate id_token with a independent lifetime from the refresh token. A client may keep a refresh token for a much longer time than the user has a login session with the AS.
Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.
By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.A access token that dosen't expire , and can’t be revoked is not a good idea.
John B.
On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:
Hi,
According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?
I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.
So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?
Thanks,
-- Donghwan_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura