IETF Logo Mail Archive

Re: [OAUTH-WG] Lifetime of refresh token

Jim Manico <jim@manicode.com> Mon, 24 August 2015 15:12 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A28F1A0121 for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 08:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvD0C3jqZnpR for <oauth@ietfa.amsl.com>; Mon, 24 Aug 2015 08:12:38 -0700 (PDT)
Received: from mail-ob0-f178.google.com (mail-ob0-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5390A1A007E for <oauth@ietf.org>; Mon, 24 Aug 2015 08:12:38 -0700 (PDT)
Received: by obbwr7 with SMTP id wr7so115939842obb.2 for <oauth@ietf.org>; Mon, 24 Aug 2015 08:12:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=sk1cVtvhJXNIBL8cYz7d/GQLRjueh4nGVI80JMN9uVw=; b=ZvGVDLt05gt4qLG+ngujDm0D/9l9xX6w59NBC6oXtyICfyHe2TaBWZpqn/dF0YUWGO vhO6lWh/CFwLoE+PaZ3Eu1y8BKSUDjptoJr2Q7Y24ZQb1Py8QMyMPVr/AukpCFOqQCmR 8pWeWf9jUl3JlQu1EqvZa21w+waKZ2bWx5PPwNiMvOOFfXypKDWEjHZI0ZbM5jwU6XG3 2JfoA6Eu/sUI+UFq7+2xtr2GkZAUeIG4Oppnrip7FTtEiBBZN8FUvlBGLFPSkW5uRpqN a9HG9UF8+y+svgOwDZe970M1J9G7OHuTqi9QN0rp+A3XVdZrZRAf0X+x1bHaKjEPWJI6 nF8w==
X-Gm-Message-State: ALoCoQnwx5772MlI4cToPH+Bmq3hIDIrYLqTXtnaUSufyc5JwPcjUUI33XSPrFxV/PkJFdGVdFvl
X-Received: by 10.60.45.104 with SMTP id l8mr22506655oem.61.1440429157834; Mon, 24 Aug 2015 08:12:37 -0700 (PDT)
Received: from [10.17.60.128] (mobile-166-173-057-142.mycingular.net. [166.173.57.142]) by smtp.gmail.com with ESMTPSA id p10sm10239935oev.0.2015.08.24.08.12.36 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Aug 2015 08:12:36 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-859ADEE8-59BE-4412-8870-2893337F3982"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (12H321)
In-Reply-To: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com>
Date: Mon, 24 Aug 2015 09:12:35 -0600
Content-Transfer-Encoding: 7bit
Message-Id: <0319D202-789F-448B-823C-A538309B4F7E@manicode.com>
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com>
To: Donghwan Kim <flowersinthesand@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/b4UUwTLyiwJZL_e40JgCnu6KhAM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 15:12:40 -0000

There is a good debate and discussion on refresh tokens on StackOverflow. 

http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens

Is this a good place to send developers to answer refresh token questions, and if not, can the illustrious smart people on this list update StackOverflow if necessary?

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Aug 23, 2015, at 11:41 PM, Donghwan Kim <flowersinthesand@gmail.com> wrote:
> 
> Hi,
> 
> According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?
> 
> I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.
> 
> So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?
> 
> Thanks,
> 
> -- Donghwan
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email