Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocation //proposed change wrt to "default" revocation of refresh tokens
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 18 January 2015 15:31 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF301B2A03 for <oauth@ietfa.amsl.com>; Sun, 18 Jan 2015 07:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.951
X-Spam-Level:
X-Spam-Status: No, score=-0.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnrd44sM3Ubt for <oauth@ietfa.amsl.com>; Sun, 18 Jan 2015 07:30:57 -0800 (PST)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D24A71ACD8D for <oauth@ietf.org>; Sun, 18 Jan 2015 07:30:56 -0800 (PST)
Received: from [79.253.63.146] (helo=[192.168.71.100]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1YCroU-0007O9-4l; Sun, 18 Jan 2015 16:30:54 +0100
Message-ID: <54BBD1AB.1030203@lodderstedt.net>
Date: Sun, 18 Jan 2015 16:30:51 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Amit Gupta <amit.gupta@insideview.com>
References: <EC5D50A28C853445B767C0962CAD45720F7F2132@DAGN10a-e6.exg6.exghost.com> <355AFCFE-64A7-4F7F-AA12-F57B291BE5F2@lodderstedt.net> <EC5D50A28C853445B767C0962CAD45720F7F24A1@DAGN10a-e6.exg6.exghost.com>
In-Reply-To: <EC5D50A28C853445B767C0962CAD45720F7F24A1@DAGN10a-e6.exg6.exghost.com>
Content-Type: multipart/alternative; boundary="------------070203000302040105010800"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/kOUb5LLbm2k4XcOAORynNFMkD8g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocation //proposed change wrt to "default" revocation of refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 15:31:02 -0000
Hi Amit, there are guidelines on format and process regarding Internet Drafts - see http://www.ietf.org/ietf-ftp/1id-guidelines.txt. You may submit an individual draft using the submission tool and mark it as relevant to the OAuth working group. To get an impression you may take a look at http://datatracker.ietf.org/wg/oauth/documents/. On the bottom of this page you find a couple of individual draft proposing additions to OAuth. best regards, Torsten. Am 18.01.2015 um 14:59 schrieb Amit Gupta: > > Hi Torsten, > > I get the point for a BCP around the revocation/validity of refresh > tokens. I’ll compile a documents for what we thought should be the > best practice around limiting the validity of refresh tokens (too many > of these were unused, and keeping them alive was both a security > liability, and performance overhead). Would I have to send the draft > to oauth@ietf.org <mailto:oauth@ietf.org>? or a specific working group > email? > > Thanks again for your response. > > -- > > Thanks > > Amit > > *From:*Torsten Lodderstedt [mailto:torsten@lodderstedt.net] > *Sent:* Sunday, January 18, 2015 2:11 PM > *To:* Amit Gupta > *Cc:* Justin Richer; sdronia@gmx.de; oauth@ietf.org; mscurtescu@google.com > *Subject:* Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocation > //proposed change wrt to "default" revocation of refresh tokens > > Hi Amit, > > as far as I understand you are asking for a documentation of > guidelines for refresh token lifecycle management. Such guidlines are > not in scope for RFC 7009, as it only wants to add a request to the AS > to give the client an (interoperable) way to explicitly revoke tokens. > Tokens lifecycle (incl. expiration) and respective policies are at the > discretion of the AS. Those topics are intentionally left unspecified > by this and other OAuth RFC in order to not limit the design options > of AS implementations. Note for example that our (Deutsche Telekom's) > AS treats refresh token expiration differently then your > implementation. But thanks to RFC 7009, a client could revoke tokens > using the same code snippet at both ASs. > > Guidelines could be documented in an additional BCP (best current > practice) RFC. If you like, you can post an individual draft and ask > the WG to adopt it as WG document. > > Best regards, > > Torsten. > > > Am 16.01.2015 um 17:10 schrieb Amit Gupta <amit.gupta@insideview.com > <mailto:amit.gupta@insideview.com>>: > > The present rfc does not specify if the server should indefinitely > keep the refresh token functional for every token (except revoked > ones), and most refresh tokens are not used (due to authorize > workflow is triggered by clients for authentication and resource > access). > > Hence, I feel the rfc should provide guidance for the transparent > ways to limit validity of refresh tokens and what property/setting > should be used to automatically expire refresh tokens, and who > (between the server, client or uset) should be able to > specify/modify/see this property(s). > > In our implementation, the client can specify/modify this property > (or server to set default) to limit refresh tokens. Its not clear > if the user have visibility in number of refresh tokens before > consent (or a say in refresh token revocation). > -- > Thanks, > Amit Gupta > Software Security Architect, > InsideView Inc. > > Sent from my mobile device, > Please excuse spelling typos. > > On Jan 16, 2015 7:07 PM, Justin Richer <jricher@mit.edu > <mailto:jricher@mit.edu>> wrote: > > This seems to be more of an implementation of revocation and > handling refresh token lifetimes than anything that the spec > would talk about. In what's described below, it doesn't seem > that the client ever specifies the threshold, nor would the AS > desire the client to do so. This is all something that can > happen server-side, out of the view of the client. > > In other words, I don't (personally) see what would have to > change in the RFC for someone to implement this scheme. Can > you please clarify what I'm missing? > > -- Justin > > On 1/16/2015 3:39 AM, Amit Gupta wrote: > > Hi Torsten, Stefanie, Marius > > > > I wanted to suggest an addition to the token revocation rfc7009 to provide more clarity on how revocation of refresh tokens should be handled. I feel the rfc should, > > 1. Describe how the client/resource-owner can provide “standing instructions” to the OAuth server to revoke refresh tokens. > > 2. Describe the default way to for the OAuth server to define constrains for revocation of refresh token if this constrains are not specified by the client/resource owner. > > > > The way it could be handled is: > > 1. Store a Client level threshold (clt) of number of valid refresh tokens per “user-client” combination (and OAuth server can store the default value for clt, if undefined by the client or resource owner). > > 2. Keep the “time to live” for the access token reasonably small (few minutes to couple of hours). > > a. Revocation of active token removes the token ad the refresh token. > > b. When new tokens are generated, up to “clt” number of Refresh tokens is maintained by the OAuth server (the most recent refresh token over writes the clt^th refresh token for user-client combination). > > c. Revocation of inactive token removes the refresh token. > > > > We have implemented such a scheme for our OAuth server, whereby “clt” is set to five by default (if not specified in client the properties). Therefore, > > 1. Whenever a new token and refresh token is created, it overwrites the 5^th (clt=5) oldest refresh token (for clientId-userId combination). > > 2. Code grant tokens are only valid for 1 hour. When the token expires, refresh token is not removed. > > 3. When an “active” token is revoked, Token and it’s refresh token is also revoked. > > 4. When an “expired” token is revoked, only the corresponding refresh token is revoked. > > > > The above example explicitly specify how to handle revocation of refresh tokens when the client has not informed the OAuth server about how expiry of refresh tokens should be handled. This also allows clients to specify certain constrains (like default time to live for tokens, and client level threshold for number of refresh tokens to keep active for each client-user combination). > > > > Are you planning to update the RFC on the scheme to handle revocation of refresh token? If not, would you be willing to include the proposed changes to RFC7009? Please let me know. > > -- > > Thanks, > > Amit > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocation //… Amit Gupta
- Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocatio… Justin Richer
- Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocatio… Amit Gupta
- Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocatio… Torsten Lodderstedt
- Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocatio… Amit Gupta
- Re: [OAUTH-WG] RFC 7009 OAuth 2.0 Token Revocatio… Torsten Lodderstedt