IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh token security considerations

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 12 July 2011 07:53 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF0021F8FA2 for <oauth@ietfa.amsl.com>; Tue, 12 Jul 2011 00:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGCAlig0G-FG for <oauth@ietfa.amsl.com>; Tue, 12 Jul 2011 00:53:29 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.30]) by ietfa.amsl.com (Postfix) with ESMTP id 215EE21F8F4A for <oauth@ietf.org>; Tue, 12 Jul 2011 00:53:28 -0700 (PDT)
Received: from [88.249.48.57] (helo=[192.168.183.113]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QgXmW-0000j3-7J; Tue, 12 Jul 2011 09:53:24 +0200
References: <90C41DD21FB7C64BB94121FBBC2E7234501D4A005B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <152fee05-9248-45e5-a9b5-86e880e5b1f9@email.android.com> <1310315898.93782.YahooMailNeo@web31802.mail.mud.yahoo.com>
User-Agent: K-9 Mail for Android
In-Reply-To: <1310315898.93782.YahooMailNeo@web31802.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----75MWMC5SYMSNXXY3RFQFA9XS05UD8W"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 12 Jul 2011 10:53:21 +0300
To: "William J. Mills" <wmills@yahoo-inc.com>, Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
Message-ID: <6bb0fea2-48e6-4c70-93a4-ba4528a0f9b8@email.android.com>
X-Df-Sender: torsten@lodderstedt-online.de
Subject: Re: [OAUTH-WG] Refresh token security considerations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2011 07:53:30 -0000

Why?



"William J. Mills" <wmills@yahoo-inc.com> schrieb:

I agree that this is something you could do, but it doesn't seem like a good design pattern.


_____________________________________________
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Eran Hammer-Lahav <eran@hueniverse.com>; OAuth WG <oauth@ietf.org>
Sent: Sunday, July 10, 2011 1:21 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations

replacement of the refresh token with every access token refresh is an example. The authz server creates and returns a new refresh token value with every access token refreshment. The old value is invalidated and must not be used any further. Note: The authz server keeps track of all old (invalidated) refresh tokens.

If a client presents one of those old refresh tokens, the legitimate client has been compromised most likely. The authz then revokes the refresh token and the associated access authorization.

regards,
Torsten.



Eran Hammer-Lahav <eran@hueniverse.com> schrieb:

“the authorization server SHOULD deploy other means to detect refresh token abuse”

 

This requires an example. 

 

 

EHL


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.37.1 | Report a Bug | By Email | System Status