IETF Logo Mail Archive

Re: [OAUTH-WG] Lifetime of refresh token

William Denniss <wdenniss@google.com> Fri, 28 August 2015 20:58 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 063091A21C4 for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 13:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4fkUJ0fQFP2 for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAF331A005B for <oauth@ietf.org>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
Received: by qgeh99 with SMTP id h99so38579262qge.0 for <oauth@ietf.org>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=dYhavCKC4zhvP+HcHDrbGolYA93ewwIfF+0htTY+8Y/JOt14wdagyj67/xp7cXU0SZ nCXl6bsEHpDuiP4XXi4eUinr75uPxKnvfKvtBskUQmL1vgJjlm78Vli3GSsxzi7EJfq9 vxYZfM/12nOwt/RCrzxLQ5+h/JWxORpX4nVHzUEMR3Ps465G46jlRk8WULCIXO3ngq9L 9QSuQH5zGWLhof5PlGHkHfBi5D2RiOsNLs84aI/7cSMX6Xsr+QDvOFXGU9/ViASnpE7s /n0/LOfxAhIjuERdDQcts0LYJNG/NjATOKyOHPAWFTmjRDFV/rFQOm2SMTJLvK7Mtve9 l0aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=Ymn5tZ3ULK0SBqA6I3jKnFw6xs3YrvWa57rpgX4x+jKE190/l7gJt5b7LzQvOHZgso Aew9+bGTiJxtm8RYsVCShcEH0p2T+31f3IznAh9x3i2+pc/VURtBrWJKvzxfr3cAeMeB +94lWdbFoVJJPL+i3RN5pbUlGGd0CmU+zohtRFqbmkxufBPCsTtwBZidelAFxKSp2IhA wiOiOpfU2npGmTEiiz1js+Atu/nLjJUYIbk9wAqIMeEGVlzlHs687fwoeTKq2i6G0BS9 LOimJqe+lTcWezjY5AH+j/qWGy8CtbumuNArE71t5UuBxqksyjFdCJtzIz+kEHmkdmyn h5Ag==
X-Gm-Message-State: ALoCoQneeARFTmIeA4VZ4kHEty8SRR7pWi9UZyToqq6BZJD+NnhswGQaHCsxIKtTGiQht1YZrtpF
X-Received: by 10.140.235.143 with SMTP id g137mr20202923qhc.102.1440795498824; Fri, 28 Aug 2015 13:58:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
In-Reply-To: <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 28 Aug 2015 20:58:09 +0000
Message-ID: <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
Content-Type: multipart/alternative; boundary="001a1137688ce71039051e6557a2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hvWFlCULI7qZy2CymxjJbdHBzaM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 20:58:23 -0000

+1 for John's suggestion.

Why force users to re-authenticate after an arbitrary 30-day window?

On Fri, Aug 28, 2015 at 1:41 PM John Bradley <ve7jtb@ve7jtb.com> wrote:

> I would use a 5 min AT and roll the refresh token per
> https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that
> is what you want for a inactivity timeout after which the user must
> authenticate again.   The user can always revoke the refresh token.
>
> Rolling the refresh token also has the advantage that if the token leaks
> or is stollen then you will detect the second use of the expired refresh
> token and invalidate both, so the user needs to loggin.
>
> In general I think rolling the refresh token is a good idea though it is
> not popular, I think it is more secure.
>
> John B.
>
>
>
> On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com>
> wrote:
>
> I'm sorry to introduce a common topic.
>
> As John has suggested, I'm going to design that
>
> * An access token should be short lived e.g. 5 minutes (not to hit the AS
> to verify the token or 1 hour (to hit the AS to verify the token). I'm
> inclined to 5 minutes for stateless architecture of RSs.
> * A refresh token should have 1 month of expiration time by default. If it
> turns out that some access token expired, its refresh token should refresh
> the token. Then, so called persistent login can be implemented regardless
> of the form of authentication. Only if it fails for some reason e.g. token
> revocation or inactivity for 1 month, a user is logged out automatically
> and should log in again.
> * A refresh token should be able to be revoked somehow. With 5 minutes
> approach, it will invalidate only the refresh token (Yes the attacker can
> have 5 minutes at most), and with 1 hour approach, it will invalidate the
> refresh token as well as the corresponding access token.
>
> Thanks,
>
> -- Donghwan
>
> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Refresh tokens are also used by public clients, e.g. native apps. OIDC
>> allows to acquire a new id token from a refresh token as well. Note: this
>> does not mean a fresh authentication but a refreshed id token containing
>> the data of the original authentication transaction.
>>
>> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com
>> >:
>>>
>>> I think Nat’s diagram about the problems of doing pseudo authentication
>>> with OAuth is being taken out of context.
>>>
>>> The refresh token dosen’t expire, it is revoked by the user or system.
>>> In some cases refresh tokens are automatically revoked if the users session
>>> to the AS ends.  I think AOL typically revokes refresh tokens when sessions
>>> terminate.
>>>
>>> OpenID Connect provides a separate id_token with a independent lifetime
>>> from the refresh token.  A client may keep a refresh token for a much
>>> longer time than the user has a login session with the AS.
>>>
>>> Refresh tokens are typically used by confidential clients that are using
>>> a client secret in combination with the refresh token for getting a new
>>> access token.
>>>
>>> By design access tokens should be short lived as the AS is expected to
>>> have a way of revoking refresh tokens but not access tokens.
>>> A access token that dosen't expire , and can’t be revoked is not a good
>>> idea.
>>>
>>> John B.
>>>
>>>
>>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> According to Figure 2 from
>>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be
>>> used to refresh an expired access token without requesting resource owner
>>> to sign in again (uncomfortable experience). However, if it's true, isn't
>>> it that refresh token might be used to request a new access token even
>>> years later? and then isn't refresh token the same with access token which
>>> never expires?
>>>
>>> I intended to use refresh token to implement persistent login by sending
>>> a refresh request before issued access token expires (expires_in runs out).
>>> But if refresh token works even if access token expired already, sending a
>>> refresh request on application start up would be enough.
>>>
>>> So I'm not sure what I'm missing about refresh token as well as how to
>>> implement persistent login using it (you can regard authentication here
>>> pseudo-authentication illustrated in
>>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).
>>> What is the lifetime of refresh token?
>>>
>>> Thanks,
>>>
>>> -- Donghwan
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email