Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods

Karsten Meyer zu Selhausen <> Thu, 04 November 2021 09:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47F723A0D3C for <>; Thu, 4 Nov 2021 02:48:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.328
X-Spam-Status: No, score=-5.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gYbAXkmIR_hS for <>; Thu, 4 Nov 2021 02:48:04 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 083C23A0D57 for <>; Thu, 4 Nov 2021 02:48:02 -0700 (PDT)
Received: by with SMTP id 77-20020a1c0450000000b0033123de3425so6783165wme.0 for <>; Thu, 04 Nov 2021 02:48:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to; bh=HdeUNT2bDTjDYNvEYuUkF761ZSzO1u50I5gPhHeSU8M=; b=T4g60bM689qvd04UA6dG2NmmU9JvH+8XFr0avaq2scbkNplwpNkHt9oIEhH2S3i0Bx 89ZrjXRJE+fuFXM4A+m3oLmvlA5hFyLNuWlQwuUBiEUrLUeFGF+hGYJFkCA8lcC7VTyy PWw+oQcVzxvw69wfd41l4b6kSPjDvJOoJmEHU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to; bh=HdeUNT2bDTjDYNvEYuUkF761ZSzO1u50I5gPhHeSU8M=; b=4mK4YNbxCUfkAcsk1l19CrwF7+1TLZ35RELGZGaCNQzJawiPPX+IB0hbk0aIEa7vr9 GBjKrI2xRROGPVrMIO3lleF6NGi88zzvEW2vzJbf/WFD2yDGoxsmJFvjCDD9QHnF2pYj u1MqfKOe+OOhHZAx8jqTXJoFyS5ZfHfIdd0nb5ZEYM7MXmDRGbqB2tYBIH705A9rKL0b TvhL1kVWko2F9W5fniCePB88DEZJLBGTox5YZtn0Bq09x7yugOKScQtFxrJ0mjCCf98N yWTDRllFl2F/NJs/cXoFaP3A62oB0xxaahpZ9C5e8ZHu+PVxruC1Xi+kGIXVOk18rlM9 jmSA==
X-Gm-Message-State: AOAM53353P7AanGNkXZZtnKqW0ObBWezPRo0tRY+RmT06diC+P58yL5S 11/hl6z7fAgC+HUHjnZsr8XLseRlMln/rA==
X-Google-Smtp-Source: ABdhPJwOsncMuzfvC4zoCY6xZvrPry4aJb4+OTpkpu64gby7Q21TrqJ6NPvp6FwxBKmX/P6oT4p9sA==
X-Received: by 2002:a7b:cc8f:: with SMTP id p15mr19099979wma.158.1636019279888; Thu, 04 Nov 2021 02:47:59 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id w15sm4486654wrk.77.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Nov 2021 02:47:59 -0700 (PDT)
Message-ID: <>
Date: Thu, 04 Nov 2021 10:47:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Aaron Parecki <>
Cc: oauth <>
References: <> <> <>
From: Karsten Meyer zu Selhausen <>
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------lzFKDQRz0Ei3xd2QlmdAtsSa"
Archived-At: <>
Subject: Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Nov 2021 09:48:08 -0000

I share Neil's opinion about grace periods and agree that there is a 
need of guidance on this matter.

I like the proposed text and think it should be included in the security 
BCP, as well as, OAuth 2.1.

The old thread [1] slightly covered an interesting aspect:

> Aaron: if RT "R1" is used twice, resulting in new ATs "A1.1", "A1.2" and new RTs "R1.1" and "R1.2", what happens if "R1.2" is then later used? Would you invalidate "R1.1" at that point?
Vittorio pointed out that Auth0 would consider "RT1.1 and RT1.2 as 

@Aaron: Does Okta's implementation handle this the same way?

Should we include guidance for handling this aspect, as well?

Best regards,


On 02.11.2021 22:34, Aaron Parecki wrote:
> The grace period is not about the refresh token lifetime, it's 
> specifically about whether what would be a single-use refresh token 
> can be used more than one time within a short window of the first use.
> Okta supports a configurable grace period per application that the 
> customer can set, anywhere from 0 to 60 seconds.
> Personally I also agree with Neil that a grace period is not a good 
> idea from the security aspect, but I do also see that we have a lot of 
> customers who ask for this feature due to things like flaky mobile 
> networks.
> I like the suggested text from Neil. I assume this would go into the 
> Security BCP as well as OAuth 2.1?
> Aaron
> On Tue, Nov 2, 2021 at 7:09 AM Pieter Kasselman 
> <> wrote:
>     Neil
>     Is the goal to accommodate network latency or clock drift? It
>     would be helpful to include reasons for why a grace period should
>     be considered if it is allowed.
>     Without knowing the reasons for the grace period it is not clear
>     why a grace period is a better solution than just extending the
>     expiry time by a set time (60 seconds in your example) and having
>     the client present the token a little earlier.
>     If grace periods are allowed, it may be worth considering adding
>     additional mitigations against replay. For example, a grace period
>     may be allowed if the refresh token is sender constrained with
>     DPoP so there is at least some assurances that the request is
>     originating from the sender (especially if the nonce option is
>     used with DPoP).
>     I would worry about adding more complexity and less predictability
>     by adding grace periods though (e.g. by looking at a refresh
>     token, will you be able to tell if it can still be used or not),
>     but your point that implementors may solve for it in other less
>     predictable ways raises a valid point.
>     Cheers
>     Pieter
>     *From:*OAuth <> *On Behalf Of *Neil Madden
>     *Sent:* Tuesday 2 November 2021 10:29
>     *To:* oauth <>
>     *Subject:* [EXTERNAL] [OAUTH-WG] Rotating RTs and grace periods
>     Hi all,
>     There was a previous discussion on whether to allow a grace period
>     during refresh token rotation, allowing the client to retry a
>     refresh if the response fails to be received due to some transient
>     network issue/timeout [1]. Vittorio mentioned that Auth0 already
>     implement such a grace period. We (ForgeRock) currently do not,
>     but we do periodically receive requests to support this. The
>     current security BCP draft is silent on whether implementing such
>     a grace period is a good idea, but I think we should add some
>     guidance here one way or another.
>     My own opinion is that a grace period is not a good idea, and if
>     it is to be supported as an option then it should be kept as short
>     as possible. The reason (as I mentioned in the previous thread) is
>     that it is quite easy for an attacker to observe when a legitimate
>     client performs a refresh flow and so can easily sneak in their
>     own request afterwards within the grace period. There are several
>     reasons why it is easy for an attacker to observe this:
>     - RT rotation is primarily intended for public clients, such as
>     mobile apps and SPAs. These clients are geographically distributed
>     across the internet, and so there is a good chance that the
>     attacker is able to observe the network traffic of at least some
>     of these client instances.
>     - The refresh flow is typically the only request that the client
>     makes directly to the AS after initial authorization, so despite
>     the traffic being encrypted it is very easy for an observer to
>     determine that the client is performing a refresh whenever it
>     makes any connection to the AS.
>     - As well as observing the request itself, an attacker may be able
>     to observe the DNS lookup for the AS hostname instead, which is
>     even more likely to be observable and also in plaintext most of
>     the time.
>     - An attacker in a position to steal RTs from e.g. localStorage,
>     is probably also in a good position to either observe when the
>     legitimate client refreshes or to actually force it to refresh
>     early (e.g., by deleting the corresponding AT from the same storage).
>     I know some people argue that a grace period is a reasonable
>     trade-off between security and usability. But I think that this
>     kind of attack would be quite easy to carry out in practice for
>     the reasons I suggest above, so I think the security actually
>     degrades extremely quickly if you allow a grace period of any
>     reasonable length.
>     On the other hand, if we discourage this entirely then people may
>     use dubious workarounds instead (e.g., one proposal I’ve seen was
>     to use an ID token with the JWT Bearer grant, effectively turning
>     the ID Token into an ad-hoc RT with much fewer protections).
>     As a strawman, what would people think of wording like the following:
>     ---
>     The AS MAY allow the original RT to be replayed for a short grace
>     period to allow the client to recover if the response is not
>     received due to a network problem or other transient issue.
>     However, implementors should be aware that an attacker may be able
>     to easily observe when the legitimate client makes a refresh
>     request to the AS and so time their use of a stolen RT to occur
>     within the grace period. Any grace period MUST be kept as short as
>     possible, and MUST NOT exceed 60 seconds. Clients should prefer
>     sender-constrained refresh tokens if recovery from network issues
>     is a priority.
>     —
>     (The 60 seconds limit here is based on Auth0’s grace period).
>     [1]:
>     <>
>     Kind regards,
>     Neil
>     _______________________________________________
>     OAuth mailing list
> _______________________________________________
> OAuth mailing list

Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:  | IT Security Consulting, Penetration Testing, Security Training

Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog:

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz