IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh tokens

George Fletcher <gffletch@aol.com> Tue, 09 July 2019 16:15 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2F41206E2 for <oauth@ietfa.amsl.com>; Tue, 9 Jul 2019 09:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.298
X-Spam-Level:
X-Spam-Status: No, score=0.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUdlZHKphesN for <oauth@ietfa.amsl.com>; Tue, 9 Jul 2019 09:15:45 -0700 (PDT)
Received: from sonic307-2.consmr.mail.bf2.yahoo.com (sonic307-2.consmr.mail.bf2.yahoo.com [74.6.134.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE567120765 for <oauth@ietf.org>; Tue, 9 Jul 2019 09:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1562688938; bh=dBFeIV4UMXj5/fA4L9FVYkodmkFGh044WB3JZGvbYKU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=bnpgyDgikNdK1tUvEbFOwxRM0lLtku6doATpBnR8Ln5EMw10nAln0yVIM9SXe042LxnCum06swhQXJBm0M13H8kTMqg2SSMDQYOhHy4DMoU1YVbXfqSlKf6zTKbZ5QeSIiSC4BmdZNtzMmWsjJqJ4pTbKtvPSkOtrRyeVSXXBmWKUWzn6d5wf66iZSZX3HNDZRnu5BHJB5l0zq7wlVhNtQfgmBSVisxodjsYfw4XfeRdbWTE8l2xOXTB4dwjOXYuwtS3NgwxSjFnqPWatEUGGn9iwtM8q1cBLVFW05Yql2uqLi0U+GmNySkIe60wZZ91MF70I7gfgsFmiutFJPXq4Q==
X-YMail-OSG: 0JwyJaoVM1l7MRso.NXSWEDxoQ2RQcO2XuBb06bA_x9A.8SCIUEffMlMEKCUUWL 1i.rRsLJDwJnBRhQlIwJTUZ7sCA3.899N0Q1Hihg3SnPF5EjRNE7VqCXfhJxYKrestw84jmb0R.Q LHenMX7pwBj7.7MbjwwWRsSHpq3iQfikiI6IkT5tvnXbNjYVBbsKx01aVY9q_SgD2YV5yJiIZOOU exIXQsRYhMLRUJht1pK8Bd8Rhb1_piOlFMBFM8eYsEV1fslxsgFHj7sf21McpuCJnGQKRQj1NnLl 2yShyKDLZTYgOMC3FY8oAVw1_DO_jOJ2vUndEE7f7zm_pU9zPrIdDOiRh8Cc7.nxZS676SM7DCAp UzaPwLMnCsp4mNOUcmNHW3mF3ER.NtY8zmpF3gLURZM3ZyV3wKwCH4.VIOXXYguAN.qHh2ALFHsG ugZNlz2IVfoeX1IBNJmoR2CyjcHT2RWqXyEbzT.DTvW35nzF6C0cUWlOd2Bn7s3_3Big46ZgfPHN USXZm94s0hW3wLcWi6IA6pw0DCW4XBFcUJwh8hMgV3v4zn1HsP1EbHRrxBV3Tb6dkLhummXsSqN2 DIu3aF4ZH16VliKPHSCIKXY.GsngXNYocdHLqgT.7g8m7gsD.lhL5ug6Lg3l.VgxqjgKziy9w.Zp azLtihgrPYKl0_TqscwY3lIfcqIvjm8DOrpBuztP6v6Z6rGCH3N4dkSr98vLx3C_0CNkVMVkeD2f RpsRulpr1w3v8REWn9Rd9KSIYSHCuje66rJkq03Wu.j.oz9BTHExDsVy704jvKc8gYuQxbB1TTuO nDvobjGyS5B3XRMbzwja5xavboVs8oAHlccs7_xowifXL.4qbT9FFF_KpP9TC17BcQxQDtn_IKUt W6tSXZBAiv1dS2i3JoD2aqhNgDkVaH9Z1DKfQrXsYYuTNZILIUfXOPnahCQZ3e4Lh1hVC8g_wyvz 2GIkvSkgANnBVLZqPy7fPD5nngrjUQKhWTJgZ5nkjb7rsvLXfONfrCsEjnPrHDtlBmMxztppWica 4THLiigm23VXLKKe0UDLG0vbI7vBxlyqYdVUMnlj2vsxnqDdHzhy0skOH77_xASZRWNiaC3yfnw3 EJyICSz5xWlThRiSHmRWp39m233b_Vezn1G46hvGqqhY3OHQgYbwEiE9HxyqmlstfVeEx.W9a6pY 8J8exBnT2ZZ64BNIHPI_qX6odgNvuht84lMPUsFs3mKaV.r.B4Rg7Jz4sRhH1WSrHbw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.bf2.yahoo.com with HTTP; Tue, 9 Jul 2019 16:15:38 +0000
Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 565f05ab55547d330cb937b16930d7a7; Tue, 09 Jul 2019 16:15:34 +0000 (UTC)
To: David Waite <david@alkaline-solutions.com>, Leo Tohill <leotohill@gmail.com>
Cc: OAuth WG <oauth@ietf.org>
References: <CABw+FcsH3CHmFphz5DD6aDeEqKLxbQhY14kdrXCVY0WXQN6PuQ@mail.gmail.com> <AEC7268A-D22D-41DA-8609-E7D2DD3B290C@alkaline-solutions.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <624da319-b19c-053b-4fd0-048c0e2b8fb9@aol.com>
Date: Tue, 09 Jul 2019 12:15:32 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <AEC7268A-D22D-41DA-8609-E7D2DD3B290C@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="------------EA2B0668FCC8D5BE69EA9D46"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dBk3Bu27YgATYdLTDvJMCNOWiJk>
Subject: Re: [OAUTH-WG] Refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 16:15:52 -0000

I'll just add a couple more thoughts around refresh_tokens.

1. I agree with David that refresh_tokens are valuable in an "online" 
scenario and should be used there.

2. To use a refresh token at the /token endpoint, client authentication 
is required. This is where it gets difficult for default SPAs because 
they are public clients and the only mechanism to authenticate them is 
the client_id which is itself public. For me, this is the real risk of 
exposing the refresh_token in the browser.

3. If the AS supports rotation of refresh_tokens and an attacker steals 
one and uses it, then the SPA will get an error on it's next attempt 
because it's refresh_token will now be invalid. If the refresh_tokens 
are bound to the user's authentication session, then the user can logout 
to lockout the attacker. However, that is a lot of "ifs" and still 
provides the attacker with time to leverage access via the compromised 
refresh_token.

In principle, I agree with the recommendation that SPAs shouldn't have 
refresh_tokens in the browser. If it's not possible to easily refresh 
the access token via a hidden iframe (becoming more difficult with all 
the browser/privacy cookie changes. e.g. ITP2.X) then I'd recommend to 
use a simple server component such that the backend for the SPA can use 
authorization_code flow and protect a client_secret.

Thanks,
George

On 7/8/19 11:17 PM, David Waite wrote:
>
>> On Jul 8, 2019, at 7:10 PM, Leo Tohill <leotohill@gmail.com 
>> <mailto:leotohill@gmail.com>> wrote:
>> Re 8. Refresh Tokens
>>
>> ???? "For public clients, the risk of a leaked refresh token is much
>> ?? ??greater than leaked access tokens, since an attacker can potentially
>> ?? ??continue using the stolen refresh token to obtain new access without
>> ?? ??being detectable by the authorization server.?? "
>>
>> (first, note the typo "stoken".)
>>
>> Is it always "higher risk"??? I could even argue that leakage of a 
>> refresh token is lower risk. As a bearer document, a leaked access 
>> token allows access to resources until it expires.?? A leaked refresh 
>> token, to be useful,?? requires an exchange with the AS, and the AS 
>> would have the opportunity to check whether the refresh token is 
>> still valid (has not been revoked). (of course revocation might NOT 
>> have happened, but then again, it might have.)
>
> I agree (with caveats, of course).
>
> Access tokens and refresh tokens may or may not be attached (by 
> policy) to an authentication session lifetime. It is far easier to 
> picture refresh tokens which are not attached to an authentication 
> session (sometimes called ???offline??? access) being inappropriate for a 
> browser-based app, which is nearly always a client that the resource 
> owner is interacting with.
>
> Variants that may want offline tokens are less easy to imagine - 
> perhaps browser extensions?
>
> I believe the language currently there is due to AS implementations 
> predominantly treating refresh tokens as being for offline access, and 
> access token lifetime being short enough to not outlast an 
> authentication session.
>
>> Furthermore, since the access token is transmitted to other servers, 
>> the risk of exposure is greater, due to possible vulnerabilities in 
>> those called systems (e.g., logs).?? Isn't this the reason that we 
>> have refresh tokens? Don't refresh tokens exist because access tokens 
>> should have short TTL, because they are widely distributed?
>
> Yes. Once you acknowledge the existence of ???online??? refresh tokens, 
> they become a strong security component:
>
> - Refresh tokens let you shorten the access token lifetime
> - A shorter access token lifetime lets you have centralized policy to 
> invalidate access without needing to resort to token 
> introspection/revocation
> - Token refresh can theoretically be used to represent other policy 
> changes by both the client (creating tokens targeting a new resource 
> server or with reduced scopes) and server (changing entitlements and 
> attributes/claims embedded within a structured token)
> - Refresh tokens can be one-time-use, as recommenced by the security 
> BCP. A exfiltrated refresh token will result in either the attacker or 
> the user losing access on the next refresh, and a double refresh is a 
> detectable security event by the AS.
>
>> "Additionally, browser-based applications provide many attack vectors 
>> by which a refresh token can be leaked."
>>
>> The risks of leaking a refresh token from the browser are identical 
>> to the risks of leaking an access token, right??? This sentence could 
>> be changed to "... by which /a token/ can be leaked."
>>
>> A refresh token is "higher risk" because its TTL is usually greater 
>> than the access token's TTL.?? But if our advice here leads to people 
>> using longer-lived access tokens (because of the problems with 
>> getting a new access token without involving the user), then the 
>> advice will be counter productive.???? The longer life gives more time 
>> for the usefulness of a browser-side theft, and more time for the 
>> usefulness of a server-side theft.
>>
>> Which scenario is safer?
>> A) using an access token with a 10 minute TTL, accompanied by a 
>> refresh token with a 1 hour TTL
>> B) using an access token with a 1 hour TTL, and no refresh token.
>
>
> Given tokens that track authentication lifetime, it is hard to make a 
> case that refresh tokens which last for the authentication session are 
> a greater security risk than opaque access tokens (requiring token 
> introspection) that will last the same time.
>
> Typically an AS (or OP) would issue a structured access token with a 
> lifetime expected to expire before the authentication session, with 
> new tokens issued via requests made in an embedded, iframe (hidden, 
> prompt=none). There may be benefits here of user cookies (or perhaps 
> managed-device information) against an authorization endpoint being 
> used to make decisions that could not be made by a refresh against the 
> token endpoint.
>
> I???d be interested in hearing how strong of an implementation issue 
> this might be for deployments - I could see a non-security argument 
> that the BCP should only have one recommended approach here, and that 
> there are deployments needing the iframe approach.
>
> -DW
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email