Re: [OAUTH-WG] Refresh tokens
George Fletcher <gffletch@aol.com> Tue, 09 July 2019 16:15 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2F41206E2 for <oauth@ietfa.amsl.com>; Tue, 9 Jul 2019 09:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.298
X-Spam-Level:
X-Spam-Status: No, score=0.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUdlZHKphesN for <oauth@ietfa.amsl.com>; Tue, 9 Jul 2019 09:15:45 -0700 (PDT)
Received: from sonic307-2.consmr.mail.bf2.yahoo.com (sonic307-2.consmr.mail.bf2.yahoo.com [74.6.134.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE567120765 for <oauth@ietf.org>; Tue, 9 Jul 2019 09:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1562688938; bh=dBFeIV4UMXj5/fA4L9FVYkodmkFGh044WB3JZGvbYKU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=bnpgyDgikNdK1tUvEbFOwxRM0lLtku6doATpBnR8Ln5EMw10nAln0yVIM9SXe042LxnCum06swhQXJBm0M13H8kTMqg2SSMDQYOhHy4DMoU1YVbXfqSlKf6zTKbZ5QeSIiSC4BmdZNtzMmWsjJqJ4pTbKtvPSkOtrRyeVSXXBmWKUWzn6d5wf66iZSZX3HNDZRnu5BHJB5l0zq7wlVhNtQfgmBSVisxodjsYfw4XfeRdbWTE8l2xOXTB4dwjOXYuwtS3NgwxSjFnqPWatEUGGn9iwtM8q1cBLVFW05Yql2uqLi0U+GmNySkIe60wZZ91MF70I7gfgsFmiutFJPXq4Q==
X-YMail-OSG: 0JwyJaoVM1l7MRso.NXSWEDxoQ2RQcO2XuBb06bA_x9A.8SCIUEffMlMEKCUUWL 1i.rRsLJDwJnBRhQlIwJTUZ7sCA3.899N0Q1Hihg3SnPF5EjRNE7VqCXfhJxYKrestw84jmb0R.Q LHenMX7pwBj7.7MbjwwWRsSHpq3iQfikiI6IkT5tvnXbNjYVBbsKx01aVY9q_SgD2YV5yJiIZOOU exIXQsRYhMLRUJht1pK8Bd8Rhb1_piOlFMBFM8eYsEV1fslxsgFHj7sf21McpuCJnGQKRQj1NnLl 2yShyKDLZTYgOMC3FY8oAVw1_DO_jOJ2vUndEE7f7zm_pU9zPrIdDOiRh8Cc7.nxZS676SM7DCAp UzaPwLMnCsp4mNOUcmNHW3mF3ER.NtY8zmpF3gLURZM3ZyV3wKwCH4.VIOXXYguAN.qHh2ALFHsG ugZNlz2IVfoeX1IBNJmoR2CyjcHT2RWqXyEbzT.DTvW35nzF6C0cUWlOd2Bn7s3_3Big46ZgfPHN USXZm94s0hW3wLcWi6IA6pw0DCW4XBFcUJwh8hMgV3v4zn1HsP1EbHRrxBV3Tb6dkLhummXsSqN2 DIu3aF4ZH16VliKPHSCIKXY.GsngXNYocdHLqgT.7g8m7gsD.lhL5ug6Lg3l.VgxqjgKziy9w.Zp azLtihgrPYKl0_TqscwY3lIfcqIvjm8DOrpBuztP6v6Z6rGCH3N4dkSr98vLx3C_0CNkVMVkeD2f RpsRulpr1w3v8REWn9Rd9KSIYSHCuje66rJkq03Wu.j.oz9BTHExDsVy704jvKc8gYuQxbB1TTuO nDvobjGyS5B3XRMbzwja5xavboVs8oAHlccs7_xowifXL.4qbT9FFF_KpP9TC17BcQxQDtn_IKUt W6tSXZBAiv1dS2i3JoD2aqhNgDkVaH9Z1DKfQrXsYYuTNZILIUfXOPnahCQZ3e4Lh1hVC8g_wyvz 2GIkvSkgANnBVLZqPy7fPD5nngrjUQKhWTJgZ5nkjb7rsvLXfONfrCsEjnPrHDtlBmMxztppWica 4THLiigm23VXLKKe0UDLG0vbI7vBxlyqYdVUMnlj2vsxnqDdHzhy0skOH77_xASZRWNiaC3yfnw3 EJyICSz5xWlThRiSHmRWp39m233b_Vezn1G46hvGqqhY3OHQgYbwEiE9HxyqmlstfVeEx.W9a6pY 8J8exBnT2ZZ64BNIHPI_qX6odgNvuht84lMPUsFs3mKaV.r.B4Rg7Jz4sRhH1WSrHbw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.bf2.yahoo.com with HTTP; Tue, 9 Jul 2019 16:15:38 +0000
Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 565f05ab55547d330cb937b16930d7a7; Tue, 09 Jul 2019 16:15:34 +0000 (UTC)
To: David Waite <david@alkaline-solutions.com>, Leo Tohill <leotohill@gmail.com>
Cc: OAuth WG <oauth@ietf.org>
References: <CABw+FcsH3CHmFphz5DD6aDeEqKLxbQhY14kdrXCVY0WXQN6PuQ@mail.gmail.com> <AEC7268A-D22D-41DA-8609-E7D2DD3B290C@alkaline-solutions.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <624da319-b19c-053b-4fd0-048c0e2b8fb9@aol.com>
Date: Tue, 09 Jul 2019 12:15:32 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <AEC7268A-D22D-41DA-8609-E7D2DD3B290C@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="------------EA2B0668FCC8D5BE69EA9D46"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dBk3Bu27YgATYdLTDvJMCNOWiJk>
Subject: Re: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 16:15:52 -0000
I'll just add a couple more thoughts around refresh_tokens. 1. I agree with David that refresh_tokens are valuable in an "online" scenario and should be used there. 2. To use a refresh token at the /token endpoint, client authentication is required. This is where it gets difficult for default SPAs because they are public clients and the only mechanism to authenticate them is the client_id which is itself public. For me, this is the real risk of exposing the refresh_token in the browser. 3. If the AS supports rotation of refresh_tokens and an attacker steals one and uses it, then the SPA will get an error on it's next attempt because it's refresh_token will now be invalid. If the refresh_tokens are bound to the user's authentication session, then the user can logout to lockout the attacker. However, that is a lot of "ifs" and still provides the attacker with time to leverage access via the compromised refresh_token. In principle, I agree with the recommendation that SPAs shouldn't have refresh_tokens in the browser. If it's not possible to easily refresh the access token via a hidden iframe (becoming more difficult with all the browser/privacy cookie changes. e.g. ITP2.X) then I'd recommend to use a simple server component such that the backend for the SPA can use authorization_code flow and protect a client_secret. Thanks, George On 7/8/19 11:17 PM, David Waite wrote: > >> On Jul 8, 2019, at 7:10 PM, Leo Tohill <leotohill@gmail.com >> <mailto:leotohill@gmail.com>> wrote: >> Re 8. Refresh Tokens >> >> ???? "For public clients, the risk of a leaked refresh token is much >> ?? ??greater than leaked access tokens, since an attacker can potentially >> ?? ??continue using the stolen refresh token to obtain new access without >> ?? ??being detectable by the authorization server.?? " >> >> (first, note the typo "stoken".) >> >> Is it always "higher risk"??? I could even argue that leakage of a >> refresh token is lower risk. As a bearer document, a leaked access >> token allows access to resources until it expires.?? A leaked refresh >> token, to be useful,?? requires an exchange with the AS, and the AS >> would have the opportunity to check whether the refresh token is >> still valid (has not been revoked). (of course revocation might NOT >> have happened, but then again, it might have.) > > I agree (with caveats, of course). > > Access tokens and refresh tokens may or may not be attached (by > policy) to an authentication session lifetime. It is far easier to > picture refresh tokens which are not attached to an authentication > session (sometimes called ???offline??? access) being inappropriate for a > browser-based app, which is nearly always a client that the resource > owner is interacting with. > > Variants that may want offline tokens are less easy to imagine - > perhaps browser extensions? > > I believe the language currently there is due to AS implementations > predominantly treating refresh tokens as being for offline access, and > access token lifetime being short enough to not outlast an > authentication session. > >> Furthermore, since the access token is transmitted to other servers, >> the risk of exposure is greater, due to possible vulnerabilities in >> those called systems (e.g., logs).?? Isn't this the reason that we >> have refresh tokens? Don't refresh tokens exist because access tokens >> should have short TTL, because they are widely distributed? > > Yes. Once you acknowledge the existence of ???online??? refresh tokens, > they become a strong security component: > > - Refresh tokens let you shorten the access token lifetime > - A shorter access token lifetime lets you have centralized policy to > invalidate access without needing to resort to token > introspection/revocation > - Token refresh can theoretically be used to represent other policy > changes by both the client (creating tokens targeting a new resource > server or with reduced scopes) and server (changing entitlements and > attributes/claims embedded within a structured token) > - Refresh tokens can be one-time-use, as recommenced by the security > BCP. A exfiltrated refresh token will result in either the attacker or > the user losing access on the next refresh, and a double refresh is a > detectable security event by the AS. > >> "Additionally, browser-based applications provide many attack vectors >> by which a refresh token can be leaked." >> >> The risks of leaking a refresh token from the browser are identical >> to the risks of leaking an access token, right??? This sentence could >> be changed to "... by which /a token/ can be leaked." >> >> A refresh token is "higher risk" because its TTL is usually greater >> than the access token's TTL.?? But if our advice here leads to people >> using longer-lived access tokens (because of the problems with >> getting a new access token without involving the user), then the >> advice will be counter productive.???? The longer life gives more time >> for the usefulness of a browser-side theft, and more time for the >> usefulness of a server-side theft. >> >> Which scenario is safer? >> A) using an access token with a 10 minute TTL, accompanied by a >> refresh token with a 1 hour TTL >> B) using an access token with a 1 hour TTL, and no refresh token. > > > Given tokens that track authentication lifetime, it is hard to make a > case that refresh tokens which last for the authentication session are > a greater security risk than opaque access tokens (requiring token > introspection) that will last the same time. > > Typically an AS (or OP) would issue a structured access token with a > lifetime expected to expire before the authentication session, with > new tokens issued via requests made in an embedded, iframe (hidden, > prompt=none). There may be benefits here of user cookies (or perhaps > managed-device information) against an authorization endpoint being > used to make decisions that could not be made by a refresh against the > token endpoint. > > I???d be interested in hearing how strong of an implementation issue > this might be for deployments - I could see a non-security argument > that the BCP should only have one recommended approach here, and that > there are deployments needing the iframe approach. > > -DW > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Refresh tokens Leo Tohill
- Re: [OAUTH-WG] Refresh tokens David Waite
- Re: [OAUTH-WG] Refresh tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh tokens David Waite
- Re: [OAUTH-WG] Refresh tokens George Fletcher
- Re: [OAUTH-WG] Refresh tokens George Fletcher
- Re: [OAUTH-WG] Refresh tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh tokens George Fletcher
- Re: [OAUTH-WG] Refresh tokens Aaron Parecki
- Re: [OAUTH-WG] Refresh tokens David Waite
- Re: [OAUTH-WG] Refresh tokens Justin Richer
- Re: [OAUTH-WG] Refresh tokens Neil Madden
- Re: [OAUTH-WG] Refresh tokens Leo Tohill
- Re: [OAUTH-WG] Refresh tokens David Waite
- Re: [OAUTH-WG] Refresh tokens Leo Tohill
- Re: [OAUTH-WG] Refresh tokens Brock Allen
- Re: [OAUTH-WG] Refresh tokens Leo Tohill
- Re: [OAUTH-WG] Refresh tokens Tomek Stojecki
- Re: [OAUTH-WG] Refresh tokens Neil Madden
- Re: [OAUTH-WG] Refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] Refresh tokens Aaron Parecki