IETF Logo Mail Archive

Re: [OAUTH-WG] refresh tokens and client instances

John Bradley <ve7jtb@ve7jtb.com> Thu, 26 June 2014 00:54 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 694B61B2E7D for <oauth@ietfa.amsl.com>; Wed, 25 Jun 2014 17:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bheM7oTqKXjf for <oauth@ietfa.amsl.com>; Wed, 25 Jun 2014 17:54:35 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083F41B2E73 for <oauth@ietf.org>; Wed, 25 Jun 2014 17:54:34 -0700 (PDT)
Received: by mail-qg0-f49.google.com with SMTP id f51so2388557qge.8 for <oauth@ietf.org>; Wed, 25 Jun 2014 17:54:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=7me3KtBldL12BEMQbeOinHXbJwgJBeiEPT8UT279m40=; b=WKJL0JJp8cPRYoXfrdxiX4e0yVRCG0VtnL/SRmXMe+d1aqtRtxsa2Yca/Sg/7dZr0g 6Kz2Akcm2dEQLvxzrDWUBklI6jbDCvowcQ7RlDK73bUJ5r+hBdzhEKAoZgrbTFZTLDH9 V/wtKhZozxsI7iIwXB0VPpea6uBTREPqOLK6+19KVVXkvkjsc+F9C1k56Qvh37l5Ypc8 OGEC+VIU24/19WqFy81PGzJipq1Ryo2bgb+fnUbmk18SlvB1AcumAOprTBlN9c2KSk2R y7Ax1pbwI7hEqLNOKqjmnE8lL+vPo/fwgQ0X9RVdm9Fg4jhJb9rv2daLZaLWnLHC3wSk NV3g==
X-Gm-Message-State: ALoCoQmI4Z7JiSf42ahRaSQw9VWaHM+rMumLPzXMIHYWNzetjXeA3VwRf018HraST+NAvwUCcfiy
X-Received: by 10.140.22.134 with SMTP id 6mr16073771qgn.4.1403744074058; Wed, 25 Jun 2014 17:54:34 -0700 (PDT)
Received: from [192.168.1.216] (186-79-202-60.baf.movistar.cl. [186.79.202.60]) by mx.google.com with ESMTPSA id a43sm3261634qge.8.2014.06.25.17.54.32 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 25 Jun 2014 17:54:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8024B357-6600-43BC-9D93-88C3BED6D507"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <007a01cf90d2$7bdda950$7398fbf0$%nakhjiri@samsung.com>
Date: Wed, 25 Jun 2014 20:55:35 -0400
Message-Id: <0BA8278C-6856-4C9F-96C7-C5752F3F1E09@ve7jtb.com>
References: <007a01cf90d2$7bdda950$7398fbf0$%nakhjiri@samsung.com>
To: Madjid Nakhjiri <m.nakhjiri@samsung.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/iL1WBicbnDZKKc8ujOWKkZbcgC8
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] refresh tokens and client instances
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 00:54:37 -0000

In 3.3 It is saying that the refresh token is a secret that the Authorization server has bound to the client_id, that the Authorization server effectively uses to differentiate between instances of that client_id.

When the refresh token is generated, it can be stored in a table with the client_id and the information about the grant.   You could also do it statelesly by creating a signed object as the refresh token. 
The spec is silent on the exact programming method that the Authorization server uses.

In 3.7 Deployment independent describes using the same client_id across multiple instances of a native client, or multiple instances of a Java Script client running in a browsers with the same callback uri.

Since the publishing of this RFC we have also developed a spec for dynamic client registration so it is possible to give every native client it's own client_id and secret making them confidential clients.

There is also a middle ground some people take by doing a proof of possession for code in native applications to prevent the interception of responses to the client by malicious applications on the device.
https://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse/

John B.

On Jun 25, 2014, at 8:06 PM, Madjid Nakhjiri <m.nakhjiri@samsung.com> wrote:

> Hi all,
>  
> I am new to OAUTH list and OAUTH, so apologies if this is very off-topic.
>  
> I am evaluating an OAUTH 2.0 implementation that is done based on bare bone base OAUTH2.0 RFC. From what I understand, many (or some) client implementations use a “global ID/secret” pair for all instances of the client.  Looking at RFC 6819 and there seem to be a whole page on this topic, if I understand it correctly. So questions:
>  
> 1)      Section 3.7 talks about deployment-independent versus deployment specific client IDs. I am guessing “deployment-independent” refers to what I called “global”, meaning if I have the same client with the same client ID installed in many end devices, that is a deployment independent case, correct?
> 2)      Section 3.3 on refresh token mentions that the token is secret bound to the client ID and client instance. Could somebody please point me to where the token generation and binding is described? Also how is the client instance is identified?   
>  
> Thanks a lot in advance,
> Madjid Nakhjiri
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email