IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh token security considerations

"William J. Mills" <wmills@yahoo-inc.com> Sun, 10 July 2011 16:38 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA1521F8757 for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 09:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.854
X-Spam-Level:
X-Spam-Status: No, score=-16.854 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rruiCUdR4Cgk for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 09:38:22 -0700 (PDT)
Received: from nm30-vm0.bullet.mail.bf1.yahoo.com (nm30-vm0.bullet.mail.bf1.yahoo.com [98.139.213.126]) by ietfa.amsl.com (Postfix) with SMTP id 9498221F8744 for <oauth@ietf.org>; Sun, 10 Jul 2011 09:38:22 -0700 (PDT)
Received: from [98.139.212.148] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 10 Jul 2011 16:38:19 -0000
Received: from [98.139.212.211] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 10 Jul 2011 16:38:19 -0000
Received: from [127.0.0.1] by omp1020.mail.bf1.yahoo.com with NNFMP; 10 Jul 2011 16:38:19 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 334197.89496.bm@omp1020.mail.bf1.yahoo.com
Received: (qmail 98566 invoked by uid 60001); 10 Jul 2011 16:38:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1310315898; bh=9iF/ojxv1NpBNtnKQaq4ebD/Km9Zf4c3928S7kumMUQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=AoyEIRvmVMWDnogTOaAWvVbPO8vROr79SNmEXbPuffx4bYR03T2xgL6YMIsrfRQ75QsVm/VHXVFUZKDaJb5l1pC1KsdhD3wRl3ihGY3+juLvhdTrY1Yt6j0W2ZmGucX2WZ8ev0ELrQCdZDLXoqj/IrO7C99XzzsOAi2ezuswxno=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=ND/9z/TRs6g90zOd2vHgJKcEUs76MeF3D/K8vSHGNX7RmqSFGROprPWOZqlg6ifj/k660WuBKB5BDBQSQLnmwG94CAhGH8uUcklp/AbwQ34k5q/DA10eIIEGnXrEVFF0aBtciUcbRJMPA7xf463d0hs/Q7mjQtTeWlkKjJLXGac=;
X-YMail-OSG: 9XmHlQMVM1mNy83fw.AQ3OJUyla.tNGQDYQGq_rX1k..MDJ 45oNb0qc0Ckg1kHO6NoHWJP4kZM.wu3RBapNcL.g8PpqTslkFspGEMwqx_Pj Eb2sUOQVrBHFk.ZjdiY0UBSvFiJ8XbF_eaiPEXZUFMfB_9.KwP_ap6u2FZvT A_mJ5iI1sPo1ZLL6SsMzIq_3a2BTPgGjhQNWqFH9QEATT2St7bSpiyiSxCbk cUf88ef0DZWfdsE7W9aMhs53EAXziaKm4S0_iE1Ab5EYBhjyFBZLi8mwZjDW ZZQfAMtKkMVolDRIMC26uLABEbuD5HjuyZlNGziGOmr0bRmBqQ729YHOKcRo PvCPgbh4FFZntNvJuA6G2
Received: from [99.31.212.42] by web31802.mail.mud.yahoo.com via HTTP; Sun, 10 Jul 2011 09:38:18 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.112.310352
References: <90C41DD21FB7C64BB94121FBBC2E7234501D4A005B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <152fee05-9248-45e5-a9b5-86e880e5b1f9@email.android.com>
Message-ID: <1310315898.93782.YahooMailNeo@web31802.mail.mud.yahoo.com>
Date: Sun, 10 Jul 2011 09:38:18 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
In-Reply-To: <152fee05-9248-45e5-a9b5-86e880e5b1f9@email.android.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-223486970-1310315898=:93782"
Subject: Re: [OAUTH-WG] Refresh token security considerations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2011 16:38:23 -0000

I agree that this is something you could do, but it doesn't seem like a good design pattern.



________________________________
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Eran Hammer-Lahav <eran@hueniverse.com>; OAuth WG <oauth@ietf.org>
Sent: Sunday, July 10, 2011 1:21 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations

replacement of the refresh token with every access token refresh is an example. The authz server creates and returns a new refresh token value with every access token refreshment. The old value is invalidated and must not be used any further. Note: The authz server keeps track of all old (invalidated) refresh tokens.

If a client presents one of those old refresh tokens, the legitimate client has been compromised most likely. The authz then revokes the refresh token and the associated access authorization.

regards,
Torsten.




Eran Hammer-Lahav <eran@hueniverse.com> schrieb:
“the authorization server SHOULD deploy other means to detect refresh token abuse”
> 
>This requires an example. 
> 
> 
>EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.39.1 | Report a Bug | By Email | System Status