Re: [OAUTH-WG] Lifetime of refresh token
William Denniss <wdenniss@google.com> Fri, 28 August 2015 20:58 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 063091A21C4 for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 13:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4fkUJ0fQFP2 for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAF331A005B for <oauth@ietf.org>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
Received: by qgeh99 with SMTP id h99so38579262qge.0 for <oauth@ietf.org>; Fri, 28 Aug 2015 13:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=dYhavCKC4zhvP+HcHDrbGolYA93ewwIfF+0htTY+8Y/JOt14wdagyj67/xp7cXU0SZ nCXl6bsEHpDuiP4XXi4eUinr75uPxKnvfKvtBskUQmL1vgJjlm78Vli3GSsxzi7EJfq9 vxYZfM/12nOwt/RCrzxLQ5+h/JWxORpX4nVHzUEMR3Ps465G46jlRk8WULCIXO3ngq9L 9QSuQH5zGWLhof5PlGHkHfBi5D2RiOsNLs84aI/7cSMX6Xsr+QDvOFXGU9/ViASnpE7s /n0/LOfxAhIjuERdDQcts0LYJNG/NjATOKyOHPAWFTmjRDFV/rFQOm2SMTJLvK7Mtve9 l0aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=Ymn5tZ3ULK0SBqA6I3jKnFw6xs3YrvWa57rpgX4x+jKE190/l7gJt5b7LzQvOHZgso Aew9+bGTiJxtm8RYsVCShcEH0p2T+31f3IznAh9x3i2+pc/VURtBrWJKvzxfr3cAeMeB +94lWdbFoVJJPL+i3RN5pbUlGGd0CmU+zohtRFqbmkxufBPCsTtwBZidelAFxKSp2IhA wiOiOpfU2npGmTEiiz1js+Atu/nLjJUYIbk9wAqIMeEGVlzlHs687fwoeTKq2i6G0BS9 LOimJqe+lTcWezjY5AH+j/qWGy8CtbumuNArE71t5UuBxqksyjFdCJtzIz+kEHmkdmyn h5Ag==
X-Gm-Message-State: ALoCoQneeARFTmIeA4VZ4kHEty8SRR7pWi9UZyToqq6BZJD+NnhswGQaHCsxIKtTGiQht1YZrtpF
X-Received: by 10.140.235.143 with SMTP id g137mr20202923qhc.102.1440795498824; Fri, 28 Aug 2015 13:58:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMbDefvdNNLHSMZEXDDOhukzha8G0WLb9j7f6qVXTrXaGCQxTQ@mail.gmail.com> <DE1DE335-FBEF-494A-97F0-BE0F9D4BABAA@ve7jtb.com> <C44C21E6-2559-4099-8B21-3544DE8965BD@lodderstedt.net> <CAMbDefsu0XAQvCR2+ako4PbsoKeezLwgizJ4dVsKMAY_DXM_wA@mail.gmail.com> <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
In-Reply-To: <B314B571-A0E4-41B0-8F05-B89DA5A73113@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 28 Aug 2015 20:58:09 +0000
Message-ID: <CAAP42hCmkqHEfZi_f-hCwMN2e0qn-4040-=jHcCHoeDVLONmaA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Donghwan Kim <flowersinthesand@gmail.com>
Content-Type: multipart/alternative; boundary="001a1137688ce71039051e6557a2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hvWFlCULI7qZy2CymxjJbdHBzaM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Lifetime of refresh token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 20:58:23 -0000
+1 for John's suggestion. Why force users to re-authenticate after an arbitrary 30-day window? On Fri, Aug 28, 2015 at 1:41 PM John Bradley <ve7jtb@ve7jtb.com> wrote: > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that > is what you want for a inactivity timeout after which the user must > authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token leaks > or is stollen then you will detect the second use of the expired refresh > token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it is > not popular, I think it is more secure. > > John B. > > > > On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> > wrote: > > I'm sorry to introduce a common topic. > > As John has suggested, I'm going to design that > > * An access token should be short lived e.g. 5 minutes (not to hit the AS > to verify the token or 1 hour (to hit the AS to verify the token). I'm > inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. If it > turns out that some access token expired, its refresh token should refresh > the token. Then, so called persistent login can be implemented regardless > of the form of authentication. Only if it fails for some reason e.g. token > revocation or inactivity for 1 month, a user is logged out automatically > and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes > approach, it will invalidate only the refresh token (Yes the attacker can > have 5 minutes at most), and with 1 hour approach, it will invalidate the > refresh token as well as the corresponding access token. > > Thanks, > > -- Donghwan > > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Refresh tokens are also used by public clients, e.g. native apps. OIDC >> allows to acquire a new id token from a refresh token as well. Note: this >> does not mean a fresh authentication but a refreshed id token containing >> the data of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com >> >: >>> >>> I think Nat’s diagram about the problems of doing pseudo authentication >>> with OAuth is being taken out of context. >>> >>> The refresh token dosen’t expire, it is revoked by the user or system. >>> In some cases refresh tokens are automatically revoked if the users session >>> to the AS ends. I think AOL typically revokes refresh tokens when sessions >>> terminate. >>> >>> OpenID Connect provides a separate id_token with a independent lifetime >>> from the refresh token. A client may keep a refresh token for a much >>> longer time than the user has a login session with the AS. >>> >>> Refresh tokens are typically used by confidential clients that are using >>> a client secret in combination with the refresh token for getting a new >>> access token. >>> >>> By design access tokens should be short lived as the AS is expected to >>> have a way of revoking refresh tokens but not access tokens. >>> A access token that dosen't expire , and can’t be revoked is not a good >>> idea. >>> >>> John B. >>> >>> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> >>> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be >>> used to refresh an expired access token without requesting resource owner >>> to sign in again (uncomfortable experience). However, if it's true, isn't >>> it that refresh token might be used to request a new access token even >>> years later? and then isn't refresh token the same with access token which >>> never expires? >>> >>> I intended to use refresh token to implement persistent login by sending >>> a refresh request before issued access token expires (expires_in runs out). >>> But if refresh token works even if access token expired already, sending a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well as how to >>> implement persistent login using it (you can regard authentication here >>> pseudo-authentication illustrated in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> ------------------------------ >>> >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Torsten Lodderstedt
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Bill Mills
- Re: [OAUTH-WG] Lifetime of refresh token Justin Richer
- Re: [OAUTH-WG] Lifetime of refresh token John Bradley
- Re: [OAUTH-WG] Lifetime of refresh token William Denniss
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Jim Manico
- Re: [OAUTH-WG] Lifetime of refresh token Donghwan Kim
- Re: [OAUTH-WG] Lifetime of refresh token Nat Sakimura